Windows Server

Mount NFS Share in Windows 10

Where is a need, there is a how-to do it for my friends.  Today it’s mounting of a NFS Share via Windows 10

Install the NFS Client (Services for NFS)
The first thing we need to do is install the NFS Client which can be done by following the steps below:

Step 1: Open Programs and Features.

Step 2: Click Turn Windows features on or off.

Step 3: Scroll down and check the option Services for NFS, then click OK

Step 4: Once installed, click Close and exit back to the desktop.

How to Mount an NFS Share
From the Windows Machine, Open the Command Prompt or Power Shell Prompt type the following command:

mount -o anon \\host-ip\nfs-share-name drive-letter:

The share is now mounted and we can access the data by navigating to the X: drive.
To validate your successful mount you can use the following command “mount” to review your connected mount points

 

Windows Server 2016, AppLocker Rules

AppLocker rules can be set up by using group policy in a Windows domain and have been very useful in limiting the execution of arbitrary executable files. AppLocker takes the approach of denying all executables from running unless they have specifically been whitelisted and allowed.

AppLocker is available in Windows Desktop and Servers.  Desktop Windows require Enterprise Editions.
The AppLocker requirements can be found here.

Note:  before implementing AppLocker rules in a production environment it is important to perform thorough testing. AppLocker will not allow anything to run unless it has been explicitly whitelisted. So keep in mind those non-standard installs to the system root or other drives (C:\ or E:\).

 

AppLocker Rule Types:

  • Executable Rules: These rules apply to executables, such as .exe and .com files.
  • Windows Installer Rules: These rules apply to files used for installing programs such as .msi, .mst and .msp files.
  • Script Rules: These rules apply to scripts such as .bat, .js, .vbs, .cmd, and .ps1 files.
  • Packaged App Rules: These rules apply to the Windows applications that may be downloaded through the Windows store with the .appx extension.

With each of these rules, we can also whitelist based on the publisher, path, or file hash.

  • Publisher: This method of whitelisting items is used when creating default rules as we’ll soon see, it works based on checking the publisher of the executable and allowing this. If the publisher, file name or version etc change then the executable will no longer be allowed to run.
  • Path: Executables can be whitelisted by providing a folder path, for example, we can say that anything within C:\tools is allowed to be run by a specific active directory user group.
  • File Hash: While this may be the most secure option, it is inconvenient to work with and manage. If a file changes at all, for instance, if an executable is updated, it will not be allowed to run as the allowed hash will have changed too.

 

AppLocker Configuration:

  • Open Server Manager, selecting Tools, followed by Group Policy Management.
  • From the Group Policy Management window that opens, we’ll select the group policy objects folder within the domain, right click and select new to create a new group policy object (GPO). In this case, we’ll create one called AppLocker Rules.
  • From within the Group Policy Management Editor (GPME). Select Computer Configuration > Policies > Windows Settings > Security Settings > Applications Control Policies > AppLocker
  • In the main AppLocker interface where we can create executable, windows installer, script, and packaged app rules. We can get started with the default settings by clicking the “Configure rule enforcement”  By default each of these four items is unticked and not enabled, we can tick the box next to “Configured” to enable to set the rules to be “Enforced”.

 

 


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more info: https://www.microsoft.com/en-us/learning/exam-70-744.aspx

Hyper-V, and Automatic Virtual Machine Activation in Windows Server 2016

Windows Server 2012 R2 introduced a feature called “Automatic Virtual Machine Activation” (AVMA), and now in Windows Server 2016, this feature has been carried forward. This feature was primarily designed for Web Hosters but found usefulness in internal Hyper-V server for testing lab machines.

What is Automatic Virtual Machine Activation (AVMA)?

Automatic Virtual Machine Activation is a feature that handles the activation process for an instance of Windows Server inside a Hyper-V virtual machine so it does not need to directly contact any other system to activate the Windows Server instance.

AVMA is engineered to digitally facilitate the guest virtualization rights allowance of the Windows Server Datacenter license. If the physical host is properly licensed to run Windows Server Datacenter, then any number of virtual instances running the same or a lower edition and the same or earlier version of Windows Server is included.

Requirements for Automatic Virtual Machine Activation?

You must have a Datacenter Edition of Windows Server 2012 R2 or Windows 2016 installed as the management operating system with the Hyper-V role enabled. AVMA is a feature of the operating system, not Hyper-V itself.

How to Configure a Virtual Machine for AVMA?

When prompted for a license key, you simply give it the key that matches the operating system of the virtual machine.

Guest Operating System’s and Keys

Windows Server 2012 R2 Essentials
K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

Windows Server 2012 R2 Standard
DBGBW-NPF86-BJVTX-K3WKJ-MTB6V

Windows Server 2012 R2 Datacenter
Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW

Windows Server 2016 Essentials
B4YNW-62DX9-W8V6M-82649-MHBKQ

Windows Server 2016 Standard
C3RCX-M6NRP-6CXC9-TW2F2-4RHYD

Windows Server 2016 Datacenter
TMJ3Y-NTRTM-FJYXT-T22BY-CWG3J

These keys will be accepted by any operating system but if AVMA is not detected they will move into an unlicensed mode.

Ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn303421(v=ws.11)

 

Windows Server 2016 Core: Active Directory Domain Services

To lower my memory footprint in my home lab I decided to move from into Windows Server 2016 Core.  That said running Active Directory Domain Service seems to be the perfect candidate to start with my new architectured lab environment.

There are several prerequisites required for enabling ADDS, but I am not going to get into those here as if your reading this, there is a good chance you already know what those are.

We will be installing what is commonly referred to as a new forest/domain.

Step 1: Validate your hostname, IP address, and DNS settings

  1. Log into the console of your Windows Server 2016 Core System
    You need to log in as an administrator and should arrive at a command prompt
  2. Enter the command Sconfig and press enter
    The Server Configuration tool interface should be displayed
  3. Use the setting options to validate your host’s configuration

 

Step 2:  Installing Domain Services 

  1. From the Windows Server 2016 Core command prompt type: powershell then press enter.
    This will change your shell mode to PowerShell allowing you to use additional commands.
  2. Type Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    This will install the ADDS roles on the Windows Server 2016 Core System
  3. When completed type: Install-ADDSForest -DomainName yourdomain.tld
    Here is where you choose the name of your domain to be installed.
  4. You will be required to provide a recovery password, please enter one and take note of it
  5. Next, you will be asked to confirm the pending changes and allow the server host to be restarted
    Click yes to continue
  6. Your server will be restarted and return as a Domain Controller

 

Step 3: Validate DC Services

  1. From the Windows Server 2016 Core command prompt type: powershell then press enter.
    This will change your shell mode to PowerShell allowing you to use additional commands.
  2. Issue the following command line: Get-Service adws,kdc,netlogon,dns
    This will return details on the installed services 
  3. Issue the command Get-SmbShare
    This returns details about available shares, specifically the systvol and netlogon shares
  4. Use the get-eventlog command to review logs
    Example: get-eventlog “Directory Service” | select entrytype, source, eventid, message

 

Windows Server 2016 Core: Apply Windows Updates, with SCONFIG

In my previous post ‘Windows Server 2016 Core Configuration, with SCONFIG‘ I stepped through how to use the sconfig tool to modify settings on Windows Server 2016 Core.  In this post, I will introduce you to how to go about running Windows Updates and applying them to your server.

Here are the steps I used:

  1. Log into the console of your Windows Server 2016 Core System
    You need to log in as an administrator and should arrive at a command prompt
  2. Enter the command Sconfig and press enter
    The Server Configuration tool interface should be displayed
  3. Select 6 from the Server Configuration List
    This opens the Windows update software, allowing you to search for updatable software
  4. Select from the list of results the software update that you would like to download and install.
    You can choose a single update or update them all
  5. Depending on the update you may be required to reboot your system, select yes to restart

That’s it – Congrats you have updated your Windows Server 2016 Core Server