www.dambeck.ch

Today we take a closer look at the Microsoft Active Directory in the 2008 native mode. One of the problems that windows administrators often face in the daily business is the setting of password policies for the whole company. Under Windows Server 2003 it was not possible to set more than one policy for the accounts. So from the domain administrator to the user every body needed the same complex password. Under active directory in version 2008 there is a new object type in the schema which is called PSO (password settings object). The only way to create the PSO is in ADSI edit. Click on start and enter “adsiedit.msc”.

In ADSI edit Connect to the “Default naming context” and browse to the CN= Password Settings Container,CN=System,DC=YourDomain,DC=YourDomain. With the right click you are able to create a new PSO with a wizard (I am not 100 % sure but it is a wise idea to do this with the newest version of adsiedit.msc on the server).

The wizard shows up and your are able to set the PSO settings:
•    Password settings precedence
•    Password reversible encryption status for user accounts
•    Password history length for user accounts
•    Password complexity status for user accounts
•    Minimum password length for user accounts
•    Minimum password age for user accounts
•    Maximum password age for user accounts
•    Lockout threshold for lockout of user accounts
•    Observation window for lockout of user accounts
•    Lockout duration for locked out user accounts
•    Links to objects that this password settings object applies to (forward link).

The last setting is very nice. The policy are now bound to an active directory global, universal or domain local group. The PSO does not outweigh the older GPO based managed policy. If a user has a policy both through PSO and GPO the GPO policy is enforced.

To use the PSO a PDC Emulator FSMO Role must be configured on the Windows 2008 Server. The domain and forest function level must be at least Windows Server 2008. The PSO works on Windows XP, Vista, 2003 and 2008 Servers.

Enjoy the simplified but even though smarter password policy
Cheers Konrad

Part One. Today an in my next posts we want take a closer look at the security settings of an windows server. One good way to start is the "Security Configuration Wizard" later called as SCW. The wizard was patched in the operating system with SP1. In the release 2 of windows server 2003 you don’t need to patch it’s from start up SP2. To enable the feature just open the windows components dialog ("Add or Remove Programs" -> "Add/Remove Windows Components") and mark the check box. Now you need to insert the windows disk. In the "Administrative Tools" you will find an new program "Security Configuration Wizard". Or just run "scw.exe" from the run. On the start up screen of the SCW there is the first important notice. The message indicates that the wizard will detect inbound ports that are being used by this server. This requires that all applications that use inbound ports be running before you run the wizard and create the security policy. In my lab the server will work as file and print server. To do it al little harder the lab Server runs also TeamSpeak witch is not an Microsoft Application . The teamspeak server will listen on UDP Port  8767. After Clicking next, the wizard ask to crate an new policy. The next part is Interesting you are able to chose the Local or an remote server. My preferred option is to insta ll the SCW on each server and make local scans. Now we are able to check the version of the "Security DB". If you need an special service on many server’s witch is not listed edit the XML files in "%SystemRoot%\Security\msscw\policies%". More info about the XML file are located on google. After Skipping the window we are able to chose the server roles . In the next Dialog we are able to chose the client features like DHCP client, wins client …. and may more. Now microsoft want us to chose witch are the installed options of the server. The SCW now detects non windows services. in my lab he find the VM Tool’s . Now we must approve the disabling of unused services. Please check the list very cheerfully. Now the big magic continues with the approval of TCP/ IP ports. Please check the list very cheerfully. Now one of the biggest "lion’s den". In the registry the SCW will change settings for "SMB Security Signatures", "LDAP Signing", "Outbound Authentication Protocols" and "Inbound Authentication Protocols". with this settings enabled the server are harden to the most man-in-the-middle attacks an password cracking will be not so easy. The audit policy is a mixed blessing. Its very imported to find security issues in the logs. But study the logs will take much much time. So just enable the normal logging. Enter an Description an Save the Policy File. Now You Are able to apply  the policy now or later. Applying the policy will force an restart of the server !!

After applying the policy the TeamSpeak server stop’s working like except. But after editing the policy and again, insert the port 8767 all services works fine.

My conclusion of the Microsoft Security Configuration Wizard is: The tool is very easy to use and brings many good changes in short time. The use of SCW sold be carefully tested. But i’m strongly advise the use on all windows servers.

It’s new, It’s hot, It’s Seven and It’s in Beta. The new version of the Microsoft Client Operating System. Since the 10 of January the beat version can be obtain from  www.microsoft.com. So lets take a short look to the new philosopher’s stone of Microsoft. In this little Video you can see the Installation of Windows Seven. Take a special look to the Hard drive Partitioning and to the new Homegoupe feature.

After some exploring the new OS i’m feel fine because not everything has changed. hire some Print screen of my first Bluescreen on Seven. The Screen appeared when try to install the VMware Tools. After a reboot the install worked fine.

If you want to try your own Seven install an inplace upgrade should work from Vista Sp1. Or an new Installation. The Installation need 6,4 GB Diskspace.

Some nice things in the beta are Internet Explorer 8, Medaplayer, DirectX 11, an new dressing paint Gui and an Freaky Taskbar.

Generally the new design look’s very nice and the User Account Controll, is not so annoying like in Vista. my guess is that Microsoft is on the rigth way with Windows Seven build 7000

“Seiens grüsst” oder wie die auch hier alle sagen. Zur zeit ist etwas Flaute auf dem Blog. Dies ligt daran das ich über ganz Europa verstreut bin. Zur Zeit lebe ich in Wien im Schönen Östereich. Ich sage euch nicht alle Klischees über die Ösis stimmen.

Das erste Klischee. Die Wiener Essen nur die ganze zeit „Wienerli“ (Winer Würstchen). Stimmt nicht. Alls ich an der Würstchenbude um die Ecke stehe und den netten Mann hinter der Teke Frage ob er mir nicht ein Paar Wiener Würstchen geben wurde. Erntete ich Komische Blicke. Den die Würstchen heissen hier „Frankfurter Würstchen“. Warscheindlich sagen die Frankfurter zu den Würstchen „lozarner Würstchen“.

Das Zweite Klischee. Das Wiener Schnitzel ist mit Kalbfleisch nicht mit Schweinefleisch zubereitet. Komisch nicht

Das Dritte Klischee. Wien ist teuer. Das stimmt auch nur bedingt. Gemäss dem Big Mac index Liegt Österreich über der Schweiz. Da geld ja bekantlich nicht alles ist habe ich den Qualität’s Test gemacht und bin zu der Überzeugung gekommen das er in Österreich auch gut schmeckt.

<!– @page { size: 8.27in 11.69in; margin: 0.79in } P { margin-bottom: 0.08in } –>

Was mich aber noch mehr fasziniert hat ist das die Iluminati in Wien waren oder besser gesagt sind. In der Karlskirche habe ich dieses Bild an der Decke als Freske Entdeckt.