Servers

Servers power many organisations and are even making their way into homes (even if it is a simple NAS box). With more RAM then you could even imagine (I have to admit I’m a RAM addict) and processors that make the latest and greatest gaming PC look minuscule in comparison it is these mighty machines that make the world go round.

In configuring the Microsoft Intune Certificate Connector and attempting to issue certificates to your client via Intune you might run into the error message below.

IssuePfx – COMException: System.Runtime.InteropServices.COMException (0x80094800): The requested certificate template is not supported by this CA. (Exception from HRESULT: 0x80094800)at CERTENROLLLib.IX509CertificateRequestPkcs10V2.InitializeFromTemplateName (X509CertificateEnrollmentContext Context, String strTemplateName)
at Microsoft.Management.Services.NdesConnector.MicrosoftCA.GetCertificate (PfxRequestDataStorage pfxRequestData, String& certificate, String& password)

Failed to issue Pfx certificate for Device ID 24c2445e-6cd2-4629-a942-081bdaca9b12 :

In short when configuring the certificate name to be used you’ve probably entered the ‘Template display name’ instead of the ‘Template name’ – note the difference in the screenshot where the template name doesn’t include any spaces.

Given the complexity of this feature I’ve found the guide at this link really handy in setting it up in the past:

https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-configuring-and-troubleshooting-pfx-pkcs/ba-p/516450


Today we have the answer to the question – Without SSL decryption how many threats/attempted vulnerability exploits/other bad stuff will I miss that are coming from the internet at my internally hosted (externally published) web sites and services?
To run some simple tests (which will be detected as malicious attacks) I’m going to be running the Nessus scanner against a website behind a Palo Alto Networks Next Generation Firewall, while we won’t get the same results that might be seen from a ‘determined attacker’ we will get an idea of how things look from the standpoint of a ‘casual attacker’.

In short the answer is you’ll miss a lot – without decryption of traffic coming at your own web servers it’s pretty much impossible to detect attacks (with some minor exceptions) that are hiding inside HTTPS, either way let’s see how it’s done…

Kit list for this testing:

  • An ‘internal’ web service, in this case the web console for PRTG Network Monitor (running on Windows Server)
  • A Palo Alto Networks Next Generation Firewall – a PA-850 running PAN-OS 8.1 with a full suite of licences
  • The Nessus vulnerability scanner

Both the firewall and the web service have been configured to run TLS1.2 with the private key for the certificate on both (which allows the firewall to decrypt the traffic without breaking connections) and the latest firmware/security updates have been applied across the board. Continue reading

For some time there have been plenty of examples of backing up Palo Alto Firewalls with curl commands (extracting the files using the XML API) however that may not sit well with some Windows administrators who want to use PowerShell. As such I’ve put together the BackupPANNGFWConfig repo on GitHub which contains the scripts to get ahold of the API keys needed and then to perform the backups for a series of firewalls.

To get the scripts drop by the link below and for the configuration see the screenshot sequences in this post. You will need a basic understanding of Palo Alto Firewalls, PowerShell and Windows Server to work through these steps.

Super important note, this script is configured to use a TLS1.2 connection to the firewall as well as only allow connections to a firewall with a trusted security certificate – if you jump on the web management interface of the firewalls from the server that you are running the script from you should see the ‘secure’ padlock icon in the address bar.

https://github.com/jamesfed/BackupPANNGFWConfig

With the scripts all configured you will then want to configure a scheduled task on the server to take these backup files on a regular basis.

Bit of a crazy issue when deploying a new Ruckus wireless network – in first suspecting an issue with the controller software or perhaps some kind of access control list blocking traffic it turns out that the default Windows Firewall rule for allowing NPS traffic is broken in some fashion.

Having tried this (and it working fine) on Windows Server 2012 R2/2016 it really does appear to be isolated to Server 2019.

Discovering this came about with a few traffic captures combined with the wonderful NTRadPing tool. The fix is to manually create the rule, see the screenshots below on how to do this.

After a great many years since Custom RemoteFX RDS Farm it’s time for something new! After much discussion and looking at the working practices at my current place of work we’ve decided to go all in with RDS and to support that we’ve got 3 new servers to run it on.

2x 1U rack mounts to go in our main server room with 1x tower for our DR room.

Photos below!

For a little while now we’ve had issues with the uniFLOW Server service (version 5.3) not starting in a timely fashion (2hrs+).

After a harrowing tale of working with their support going in circles looking at issues with SQL Server and suchlike we worked out that the issue seemed to be caused by stale files at ‘C:\Program Files (x86)\Common Files\NT-ware Shared\ActiveJobs’ some of which were many months old or 0KB in size.

Ultimately the solution was to stop the Uniflow Service (force quit it using Task Manager if it’s still in a broken ‘starting’ state) and then delete the contents of that folder with the exception of the readme_activejobsfolder.txt file (which mentions that you shouldn’t do anything to these files!) and then start the uniFLOW Service service (which started up in a few minutes).

In putting together a small RDS (Session Based) environment on Server 2016 today today I kept running across the error message below during the installation.

Failed: Unable to install the role services.

After much back and forth between forums and event viewer it turns out our default policy to disable TLS 1.0 on servers was the issue. Enabling TLS 1.0 (through the registry or with the fantastic IIS Crypto – https://www.nartac.com/Products/IISCrypto) ended up sorting the issue for us.

Thanks to the organising committee of the (Oxford and Cambridge) College IT Conference 2018 held at the RAF Museum (Hendon) for the invite to talk about PowerShell and Server Core! As promised the video from the presentation is now up on YouTube; in addition the slides as PowerPoint and PDF can be seen below.

  Presentation (PowerPoint) (28.5 MiB, 1,490 hits)

  Presentation (PDF) (4.9 MiB, 1,590 hits)

30/03/2018 Update

Microsoft have published this blog post – https://cloudblogs.microsoft.com/windowsserver/2018/03/29/windows-server-semi-annual-channel-update which clarifies the difference between the Long-Term Servicing Channel (Server 2016/2019/so on) against the Semi-Annual Channel. Do have a read!

With thanks to the 50 staff from across the University for attending please see below the links to the videos and PowerPoints of the day!

Direct link to Playlist – https://www.youtube.com/watch?list=PLRxbdlgJzwyjAf820T0u4GpP0E01a9LEX&v=u-GVJ_0VuRM

Slides as PowerPoint

  1 Intro (4.3 MiB, 1,661 hits)

  2 MDT (85.2 MiB, 2,042 hits)

  3 PowerShell (27.5 MiB, 1,806 hits)

  4 PRTG Network Monitor (47.5 MiB, 1,845 hits)

  5 OpenVAS (32.9 MiB, 1,696 hits)

  6 WSUS and Chocolatey (60.3 MiB, 1,917 hits)

  7 NPS and VLANs (10.7 MiB, 2,791 hits)

Slides as PDF

  1 Intro (2.0 MiB, 1,804 hits)

  2 MDT (2.2 MiB, 2,149 hits)

  3 PowerShell (1.8 MiB, 2,261 hits)

  4 PRTG Network Monitor (3.2 MiB, 1,704 hits)

  5 OpenVAS (2.3 MiB, 1,857 hits)

  6 WSUS and Chocolatey (2.9 MiB, 2,059 hits)

  7 NPS and VLANs (1.4 MiB, 2,236 hits)

Stay tuned over the coming days for the scripts that are mentioned through the video which will be linked to from this post.

This entry is part 4 of 4 in the series A Windows SysAdmin installs and uses OpenVAS

In my environment all of our network connected devices are configured to respond to PINGs; this mainly comes about from using PRTG Network Monitor to confirm that devices and services are up even in the most simple of fashions. The same also applies to client PCs which through Group Policy are configured to reply to PING. Thus to save OpenVAS some work while doing it’s scans I’ve got a custom scan configured (which will be used in later blog posts) that will only scan hosts which reply to PING.

Have a look at the screenshot sequence below to see how to configure such a scan.