Active Directory domain in DMZ. Firewall rules.

Deploying an Active Directory domain in a perimeter network (or DMZ) usually requires some changes in firewalls. But the question is: what ports and from what computers must be opened?

The answer is not obvious. To simplify the firewalls rules deployment and (very important!) to simplify communication with Network Support team I designed an Excel spreadsheet. The spreadsheet has only one page that includes all groups and rules that must be configured on a firewall. You can easily customize it and then share with the network administrators.

Active Directory domain security hardening with Microsoft Security Compliance Manager (SCM). Twelve easy steps.

A step-by-step guide how to create, export and import Group Policy Objects with recommended security baselines for your domain.

The article provides a complete guide how to deploy the required GPO. The guide assumes that you deploy security baselines for Windows Server 2008 R2 SP1. You can easily adapt the guide for other versions of Windows.

Step 1. Prerequisites
Step 2. Domain Security Hardening GPO – Baseline design
Step 3. Domain Security Hardening GPO – Baseline export
Step 4. Domain Controllers Security Hardening GPO – Baseline customization
Step 5. Domain Controllers Security Hardening GPO – Baselines merge
Step 6. Domain Controllers Security Hardening GPO – Baselines export
Step 7. Member Servers Security Hardening GPO – Baseline design
Step 8. Member Servers Security Hardening GPO – Baseline export
Step 9. Target domain – GPO folders copying
Step 10. Target domain – The first GPO creation and settings import
Step 11. Target domain – Creation and import of two more GPO
Step 12. Target domain – GPO assignments

User Account Control issue

After applying security hardening CIS baselines to Windows Server you may notice an annoying window asking you to click Alt-Ctrl-End every time you try to perform some administrative task:

To fix the behaviour you must either change a Group Policy that contains the security baseline settings or the Local GPO (if the baseline was applied locally).

After the change all elevations will be performed without additional windows.

Troubleshooting SCCM 2012 Software Updates download

Sometime SCCM returns error message when you try to download an update:

The first thing in the troubleshooting process is finding a log file named PatchDownloader.log. The log file location is not obvious, because it not stored in the standard Program Files\Configuration Manager\Log folder with all other SCCM logs.

Instead, the PatchDownloader.log is created on your local computer from witch you open the System Center 2012 Configuration Manager console. And the file location is %temp% folder.

%temp% folder itself is located within your user profile: C:\Users\<user_name>\AppData\Local\Temp.

If you open the System Center 2012 Configuration Manager console in a Remote Desktop session from a site server, then %temp% location will be a bit different: C:\Users\<user_name>\AppData\Local\Temp\2.

Once you find the PatchDownloader.log file, open it with the CMTrace tool and review it.

The most likely reason that one or more updates are blocked by your security scanner, for example Websense.

Solution is to download the required updates manually (see the PatchDownloader.log file for URL links to the updates) and then import them into SCCM from a local disk instead of from Microsoft Updates site.

Domain controller post-promotion tasks: time synchronization

After you finish installing a first domain controller in a new forest, couple of important settings must be configured:
  • Time synchronization
  • Windows Activation service location
This part will explains how to configure

Time synchronization

PDC Emulator must be synchronized with a reliable time source. In large companies it is usually one of the internal routers, that is configured to sync time with external NTP server.

Once you finish installing domain controller, logon to it, open the elevated Command Prompt and enter the following command:

w32tm /config /manualpeerlist:"<FQDN_of_internal_NTP_server> <IP_address_of_internal_NTP_server>" /syncfromflags:manual /reliable:yes /update

Ensure that the command has completed successfully.

Open the Event Viewer console from Administrative tools.
Select Windows Log > System node.

Ensure that events 35 and 37 from the Time-Service source are logged.

Open event 37 and read the message details: "The time provider NtpClient is currently receiving valid time data from <Your_NTP_server>" on port UDP:123.
The message indicates that valid time source server was successfully contacted and communication has successfully crossed all firewalls.

Open event 35 and read the message details: "The time service is now synchronizing the system time with the time source  <Your_NTP_server>" on port UDP:123.
The event indicates that domain controller (PDC Emulator) is able to receive regular time updates from the time server.