WARNING: THIS link will download Policy Analyzer 3.0 and samples in a safe zip file from Microsoft:
Microsoft Policy Analyzer 3.0 is now available and according to Aaron Margosis: “Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs).” There is a pdf file that is included with the download that explains how to use the application. The new updated 3.0 version also includes several PolicyRules files that can be imported into the Policy Analyzer application and used to compare to the computer’s policies or any imported GPO backup files.
The best use of this software in my opinion is to use it in a domain to analyze your organization’s Group Policy Objects and to look for conflicts with Local Policies or within all the GPOs. You can point it to the SYSVOL folder and import the group policy objects that are being used in the domain. Then by comparing them, you will be alerted to any conflicts and you can export the results to an Excel spreadsheet. It is an excellent tool that will take some time to get used to, but it is extremely important for any security professional to do an analysis of an organization’s policies.
Shop Amazon Gift Cards. Any Occasion. No Expiration.
(Microsoft’s Channel 9 Podcast – Defrag Tools)
I recently installed the Security Compliance Manager 4.0 using and already installed version of SQL Server 2016 express. This is how you need to install SCM 4.0 on windows 10, since SQL Server 2008 is no longer compatible with Windows 10. If you do not already have SQL Server Express installed, then you need to download and install SQL Server express 2014 or 2016 and install just the engine. Then you can install Security Compliance Manager 4.0 and it will ask for an installed instance of SQL Server and you must choose the name of the instance that you just installed. Then SCM4.0 will install successfully on Windows 10. Although Petri.com has posted a review of Microsoft Security Compliance Manager in 2014, there is now a new version available and this post will discuss Version 4.0. Security Compliance Manager will allow you to download Microsoft recommended Security Baselines for Windows 7,8, and 10, and for Windows Server 2012, 2016, and SQL Server 2012. These baselines contain group policies and settings that are recommended by Microsoft to secure your Active Directory domains.
Also available now is Policy Analyzer.
Photo of Policy Analyzer from Microsoft Security Guidance blog on Microsoft TechNet.
The most interesting of the new baselines is perhaps the Windows 10 1607 Security Baseline, and it is available to download after you install Security Compliance Manager 4.0. This baseline can be exported to an Excel spreadsheet that separates the settings and configurations into different tabs. For some reason I am not able to preview this page anymore as I type it, I think adding Google tag manager has screwed it up. So I’m going to post this and then investigate what happened, and I might have to remove the Google Tag Manager. Hopefully I will continue this post later, if you have any questions about these two security software applications from Microsoft feel free to email me at james at jgnetworksecurity.com.
Nano Server Image Builder Select Scenario page
The Nano Server Image Builder is a simple GUI tool that helps create a Virtual Hard Disk of a Nano Server image for a Virtual Machine, or it can create a bootable Usb drive for a physical installation. You can download the tool from the Microsoft Download Center
NanoServer Page Two
Nano Server Image Builder page 3
The first thing you want to do before you start creating a nano server image, is to mount a Windows Server 2016 ISO. This will cause a drive letter to be created with the Windows Server 2016 Image mounted, which is required for the application because the Nano Server media folder needs to be available for the application. This application is basically a front end for the PowerShell script New-NanoServerImage. Now go through the wizard and be sure to create a name for the Virtual Hard Disk, by entering Name.vhdx. If you are going to want to join this nano server to a domain before starting it, you will have to provision a djoin.exe blob. When the wizard completes and you create the NanoServer vhd or vhdx file, now you need to create a new virtual machine and use this vhdx as the hard drive for the new Hyper-V virtual machine.
Nano Server Image Builder Wizard Page 4
NanoServer Image Builder Page 5
Nano Server Image Builder Page 6
Nano server image builder page 7
Nano server image builder page 8
Page 9 of the Nano Server Image Builder
Nano Server Image Builder Page 10 – Advanced Configuration
Page 11 – Add Servicing Packages
Page 12 – Add Scripts and Binaries
Turn on Debugging Mode and Developer mode
Final Page of Nano Server Image Builder
Windows Spectrum – This service has the name of Spectrum, and is described with the following caption “Synthesizes perceived environment captured through reality understanding modules”. This service will most likely be used with Hololens and Augmented Reality or Virtual Reality accessories. If you are just using Windows 10 as a computer and not with any hololens-type devices, it should be safe to disable this service or just leave it set to manual.
WFDSConMgrSvc – This service is used with wireless devices, the exact description states “Manages connections to wireless services, including wireless display and docking.” It should also be safe to disable this service if you are not using any wireless screens or docking stations.
PrintWorkflowUserSvc_290d03 – This service is also new and could have a different combination of letters and numbers at the end of its name. Not much information here, its related to some type of printing workflow, perhaps 3D printing?
Payments and NFC/SE Manager – This service is named “SEMgrSvc” and should only be necessary if you are running windows on a newer mobile type pc that has Near Field Communications capabilities. On an old PC you can disable this service.
LPA Service – Also Named the wlpasvc – This service provides profile management for subscriber identity modules.
Dusmsvc – The Dusmsvc does not have an explanation, however Microsoft documentation explains that DUSM stands for Data Usage Subscription Management, so if you are just using your computer at home and don’t have to worry about data usage limits, than you can leave this service alone as well. You may want to leave it if you are ever curious how much data that Windows 10 uses, since it could be measured with the help of this service. MSDN Documentation explains that “The Data Usage Subscription Management (DUSM) schema defines elements that are used to describe cost information for a subscriber’s connection to a metered network.”
Protect Yourself with PepperSpray
There is a folder called Panther, that holds the logs called setupact.log, and setuperr.log. The setupact.log should contain a run through log of the installation progress of the latest build install. If it fails, it will normally roll back to the last build and the user will not know why it failed. This Panther folder may hold the only answers to why the install failed. The Setuperr.log should just display the last error in the install process, which may help diagnose exactly why the installation of the latest build failed. However, most likely you want to read the setupact.log.
Microsoft has issued a statement that in order to keep updating the built-in PSDesiredStateConfiguration Resources that ship in the box with Windows 10 or Windows Server 2016, you should now use the PSDscResources module (located in the PowerShell gallery)instead of the old PSDesiredStateConfiguration, which can be downloaded and installed with Find-Module PsDscResources| Install-Module PsDscResources. This module currently contains an updated Service DSC Resource, which is a very useful resource to use. The reason that I like to use the Service Dsc Resource is because sometimes services may stop on their own, and there is usually no easy way to tell if a service is still running, without opening the services console, querying via PowerShell, or checking in Server Manager.
Services like the Windows Firewall, or Component Services (ComSysApp) services will cause network problems they stop running. File Sharing between computers on the same network may fail if either of these services is stopped. The Windows Firewall (mpssvc)Service actually causes the most damage when it is not running, and sometimes it gets corrupted because of conflicting Group Policies or it may just stop. Although DSC is not going to be able to solve all problems that may cause the Windows firewall service to stop, it will be able to start the service and make sure it is running, barring any corruption or permission errors.
I often will set some of my machines up with DSC and the service resource to ensure that the ComSysApp is running, if I need to make sure that these computers are found on the network. The ComSysApp service is needed for some remote administration as well. Many times when I have been troubleshooting why a computer disappeared from the network or from remote administration, it has involved this service being stopped for some reason.
Example DSC Configuration using the new Service resource:
Import-DscResource -ModuleName PsDscResources -ModuleVersion 18.104.22.168
Name = "ComSysApp"
BuiltInAccount = "LocalSystem"
DisplayName = "COM+ System Application"
StartupType = "Automatic"
State = "Running"
Name = "RemoteRegistry"
BuiltInAccount = "LocalService"
DisplayName = "Remote Registry"
StartupType = "Automatic"
State = "Running"
Server1Service -OutputPath C:\Dsc -Verbose
Start-DscConfiguration -ComputerName Server1 -Path C:\Dsc\ -wait -verbose
It looks like Bittorrent Sync has been deprecated (basically the name) and its developers have left the Bittorrent name to form a company named Resilio. Well, at least that’s what Bittorrent Sync is saying. They claim that the application Bit Torrent Sync is no longer being maintained or updated. The new application is now called Resilio Sync, and when you update it you see the following:
I’ve been using Bittorrent Sync for a few years to basically keep a backup cloned copy of important folders on two of my laptops. It works great
It is confusing why this technical preview has not been released to the public yet, since it is version 14291, and the windows 10 technical preview build is already 14316, but I’m guessing that maybe they are going to release technical preview 5 as a later build, hopefully one that is more similar to the latest windows 10 preview build. It is very strange that it wasn’t released to the public, because at build, there were some sessions that mentioned Server technical preview 5 and said it was going to be released soon, but it’s been almost a month and still nothing. However, since the torrents are available to download I tried it out, and if you install it over technical preview 4, it’s going to ask for a product key, (if you clean install, it lets you skip this by selecting I do not have a product key). The product keys accepted are the same as the technical preview 4 release, and I will list them below:
Server 2016 Datacenter TP5 Key: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
Server 2016 Essentials TP5 Key: FVPY2-6KNF7-8CKF8-YHJDY-BBDJ8
I just received Kindle Unlimited 7 day trial and they are letting me read any books I want for 7 days, well that’s not long enough to even read one book when you are doing a million other things, but its nice to be able to read anything you ever wanted to check out for free, even if its only for a week, UPDATE: After you finish your 7 days, Amazon will shoot you an email to extend the trial for another 30 days, then you have to click the link in the email, sign back into Amazon, and then….
Well, that’s where it gets tricky, I was on my phone this morning and I did what the email said, only to then log in and be on a screen that said, CONTINUE YOUR AMAZON UNLIMITED Subscription… so I’m gonna do some more hunting around to figure out how to extend the trial for 30 days more, but I wanted to update this post, so the 7 day trial won’t discourage anyone from giving it a shot.
Click the following link to check out the kindle store, you may have to do a little digging to get the free trial but it is available if you never used it before.
Shop Amazon – Kindle Book Deals
Microsoft has released a Beta version of its EMET tool. You can download it from here: http://www.microsoft.com/en-us/download/details.aspx?id=49166 This was released back in October but I have been running version 5.2 for a long time, so I installed the new Beta version to see whats new. If you are running an older operating system such as Windows Vista or Windows 7, you probably won’t benefit from any new features much but if you are running Windows 10 or Server 2012r2, I would suggest trying it in a lab environment first before deploying it to any production environments.
Changes to the GUI interface include most noticeably a new section that says “Block Untrusted Fonts”. This setting is included to support Windows 10 only. Other new features include better configuration of various mitigations via GPO, however I am still trying to figure out how not to crash the app when clicking on the Group Policy button. There are also EAF/EAF+ pseudo-mitigation performance improvements. More information can be found on the technet blog.
The first bug I found on my Windows 10 system was that there is a new button that says Group Policy in the toolbar on the top left. I clicked the button and a box opened up that said the name of my domain at the top but it also said LOCAL GROUP POLICY and it eventually crashed the emet gui dashboard before anything else happened. I collected a dump and I’m analyzing it as it may be related to my Domain’s group policy settings anyway, so this may not affect you as it did over here. However, this crash happens on more than one computer so I sent it in to Microsoft’s Emet feedback.