AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

Interim Roaming Profile Writes?

WIndows 2008 R2In the Citrix Optimization Guide: User Logon, there are two lines which seem a bit cryptic:

With Windows Server 2008 R2 Active Directory, enable interim roaming profile writes.  Alternatively, use a third-party profile solution that manages multiple sessions more appropriately.

“With Windows Server 2008 R2 Active Directory, enable interim roaming profile writes.”

I can’t find a reference to interim roaming profile writes.  The closest setting I can find with Windows 2008 R2 is the Group Policy setting Background upload of a roaming user profile’s registry file while user is logged on.  According to Microsoft’s Ned Pyle, Folder Redirection should take care of the rest of the profile data, which you should be storing in known folders.

So this is the likely setting Citrix is referring to.

“Alternatively, use a third-party profile solution that manages multiple sessions more appropriately.”

In the case of Citrix, they are probably referring to the Active Write Back feature of their Profile Management tool.  With Active Write Back “Changes are copied back to the network profile when updated files are closed, subject to no further updates in a window of 10 seconds after the close“.

References:

Group Policy Logging on Vista/Windows 7,8,10

group_policy_failedAt the end of “Our roaming profiles aren’t being saved …”, I wrote that

For Windows Vista and later, the log information is stored in the Event Log.  Under Applications and Services Logs\Microsoft\Windows\Group Policy\Operational.  Further information of this can be found in this Microsoft Technet post, Group Policy Logging on Windows Vista

Well it is in the event log, but there is another .log file.  You can enable the Group Policy Client Service (GPSVC) log file.  It seems to solely provide information about what Group Policy settings are being applied.

GPSVC(1278.1dfc) 15:09:59:476 DebugPrintGPOList2: Options: 2, GPOName: {31B2F340-016D-11D2-945F-4FB98400C0F9} DisplayName: Default Domain Policy
GPSVC(1278.1dfc) 15:09:59:483 PrintGPWMIInfo: WMIInfo: GPOName:{15A0E08F-4917-F60B-8358-8B78E802A8B7}, QueryId:{81430147-9924-9351-456D-2329BF3F317F}, NameSpace:noddyland.inside
GPSVC(1278.1dfc) 15:09:59:483 PrintGPWMIInfo: WMIInfo: bFilterAllowed: TRUE, Rules:1;3;10;108;WQL;root\CIMv2;select * from Win32_OperatingSystem where (Version like "5.1%" or Version like "5.2%") and ProductType = "1";
GPSVC(1278.1dfc) 15:09:59:484 GetFgPolicySettingImpl (bSync: 1)
GPSVC(1278.1dfc) 15:09:59:485 SaveGPOsToLocalCache(Machine): Server SKU runs in sync mode, skip cache operations.
GPSVC(1278.1dfc) 15:09:59:486 GetGPOInfo: Get 5 GPOs to after filtering.
GPSVC(1278.1dfc) 15:09:59:486 DebugPrintGPOList2: Options: 0, GPOName: Local Group Policy DisplayName: Local Group Policy
GPSVC(1278.1dfc) 15:09:59:487 DebugPrintGPOList2: Options: 0, GPOName: {55DD0EE9-4A06-4707-940B-5482CB34C9EF} DisplayName: Domain Policy - Log files
GPSVC(1278.1dfc) 15:09:59:488 DebugPrintGPOList2: Options: 0, GPOName: {02263A92-9FC5-4B95-B9C0-127ECC8A6C32} DisplayName: COMPUTEROBJECT-Desktops-Everyone
GPSVC(1278.1dfc) 15:09:59:493 DebugPrintGPOList2: Options: 0, GPOName: {E1692B3D-D2DA-4DA6-8683-2663C08C6F69} DisplayName: COMPUTERUSER-User Base settings
GPSVC(1278.1dfc) 15:09:59:494 DebugPrintGPOList2: Options: 2, GPOName: {3140B2F3-016D-11D2-945F-00CFB98044F9} DisplayName: Default Domain Policy
GPSVC(1278.1dfc) 15:09:59:494 GetGPOInfo:  Leaving with 1
GPSVC(1278.1dfc) 15:09:59:495 GetGPOInfo:  ********************************
GPSVC(1278.1dfc) 15:09:59:496 ProcessGPOs(Machine): Get 5 GPOs to process.
GPSVC(1278.1dfc) 15:09:59:496 ReadExtStatus: Reading Previous Status for extension {3378E5AC-683F-11D2-A89A-04FBB00CCFA2}

To enable the log file:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  3. On the Edit menu, point to New, and then click Key.
  4. Type Diagnostics, and then press ENTER.
  5. Right-click the Diagnostics subkey, point to New, and then click DWORD Value.
  6. Type GPSvcDebugLevel, and then press ENTER.
  7. Right-click GPSvcDebugLevel, and then click Modify.
  8. In the Value data box, type 0x30002, and then click OK.
  9. Exit Registry Editor.
  10. At a command prompt, type the following command, and then press ENTER:
    gpupdate /force
  11. View the Gpsvc.log file in the following folder:
    %windir%\debug\usermode

    Note – if the usermode folder does not exist under %WINDIR%\debug\ the gpsvc.log file will not be created. If the usermode folder does not exist, create it under %windir%\debug.

References:

My final(?) SAMBA Post – File copy performance.

sambalogov1200x154.pngI’ve written a bit about SAMBA before, and I hope this will be the last time I do.

A customer was complaining recently that the file copy performance from their Windows 7 PC to one of their Unix boxes was dreadful.  But file copy performance was ok if they were copying to a Windows Server.  The customer was kind enough to provide a network capture so I could see what was going on.

Looking at the network capture, I saw that communications to the Unix boxes were using the SMBv1 Protocol, and the communications to the Windows Servers were using SMBv2.

If you Google “smb performance windows 7” you’ll find lots of complaints about Windows 7 being slower than Windows XP for Samba file copies.  It appears that SMBv1 file copies are in fact slower with Windows 7.

The solution I suggested to the customer was that they upgrade the SAMBA version on their Unix boxes to a version which supports SMBv2.  In particular, the “durable file handles” feature will fix their issues.  This SAMBA wiki page has further details.

Enable TLS 1.2 on Windows 7 & 8.

My beautiful picture We’re in the process of developing a new Windows 8.1 SOE for a customer.  One of the things I looked at was Internet Explorer HTTPS transmission security.  Out of that, one of the things I recommend is enabling TLS 1.2.

TLS 1.2 – Configure Internet Explorer to use TLS 1.2 by default.
Transport Layer Security is how web browsers* communicate over the Internet.  The current version, TLS 1.2 has a number of security enhancements & protection mechanisms over previous versions.  Enabling it is, not only a Microsoft recommendation, but a good thing.  Internet Explorer will fail back to older TLS versions if the web site doesn’t support TLS 1.2.

You can enable TLS 1.2 support via Group Policy or directly via Internet Explorer –> Internet Options –> Advanced –> Security.

How do I test that Internet Explorer is using TLS 1.2?
Visit:

  1. https://cc.dcsec.uni-hannover.de/
    If the webpage reports under the “Further Information” heading that “This connection uses TLSv1.2 with …”, then you have enabled TLS 1.2.
    or
  2. How’s My SSL?  If, under the Version heading, it says TLS 1.2, then you’re using TLS 1.2.

What about other web browsers?
No.  You’ll need to configure each web browser to support TLS 1.2.  Some have better TLS support than others.

How do I tell whether a website supports TLS 1.2?
Use SSL Configuration Checker to test the website.

What if my web host tells me to disable TLS 1.1 or TLS 1.2?
”Run!”, would be my first thought.  Your web host is telling you that they are not interested in providing a secure website.

References:
Security Advisory 2868725: Recommendation to disable RC4
Microsoft MSDN Blog – Support for SSL/TLS protocols on Windows
Disabling TLS/SSL RC4 in Firefox and Chrome
RC4 in TLS is Broken: Now What?
IE11 Automatically Makes Over 40% of the Web More Secure While Making Sure Sites Continue to Work
SSL Pulse – Survey of the SSL Implementation of the Most Popular Web Sites

* amongst other things.

Old versions of Samba, and Windows Vista / 7 / 8

samba-logo-v1-200x154 The customer reported a problem with our Windows 7 desktop.

Unable to delete the top level folder with Windows 7, but it works with Windows XP.  It must be something you’ve done to Windows 7.

Ok, well the “must be something you’ve done to Windows 7” was unspoken, but that’s where they going to next.

I admit I didn’t do a whole lot of investigating.  In fact all I did a simple Google search “samba vista top level folder”, and the answer is that it was fixed in Samba release 3.0.24.  Which was released SEVEN YEARS AGO.

“Why didn’t you do a lot of investigation?”, I hear you ask.

Because I’m aware that the version of Samba that the customer is using, is so old, it doesn’t even support encrypted passwords.

Running applications with separate “Admin” account privileges

Nexus

We have normal logon accounts, and then we have “Admin_” accounts for doing things, such as user account password changes & Group Policy management.

It is, to say the least, a pain to either:

  • log out of my standard account and login with my Admin_ account or
  • run each program with the “Run As User” option.

A co-worker suggested I look at the “Winstep Nexus Dock” toolbar.  It allows me to put all the utilities I need to run with my “Admin_” account into the toolbar, such as program shortcuts.

At start-up, I “Run As” the Nexus Dock with “Admin_” credentials.  Once the Nexus Dock is loaded, it will pass those credentials onto the program shortcuts.

There is a paid “Ultimate” version at $24.95US, which gives you additional features, but I find the free version does what I want.

The Australian Signals Directorate has published an explanatory article here explains why minimizing admin privileges is a good idea.

My user account is trying to logon another system and I don’t know why!

A customer reported that while they were using their computer, their user account was trying to logon to another system (CRAGGYISLAND) and they wanted to know why.  In technical speak, Cross Domain Authentication attempts were occurring.

So I looked into it, and the cause of the problem was this:

  1. customer had previously connected to CRAGGYISLAND server file share, which was located in a different Active Directory Domain, with different credentials.
  2. this share had "Offline Files" set.
  3. Offline Files (aka Client Side Caching) cached those files.
  4. Sometime later they disconnected from the CRAGGYISLAND server file share.
  5. Much later they noticed, or our IT Security folk noticed, many CROSS DOMAIN AUTHENTICATION attempts, which were failing.
    The cause was the Windows 7 Offline Files Service was trying to sync the CRAGGYISLAND server files in it’s Offline Files Cache, and failing.

The solution was to clear the Offline Files Cache on the Windows 7 computer by following the instructions in this article: On a Windows Vista-based or Windows 7-based client computer, you can still access offline files even though the file server is removed from the network.

I diagnosed the cause by using cross referenced the time of the Cross Domain Authentication attempts with the output of Process Monitor.

NTUSER.DAT.START

NTUSER.DAT.START My Windows 7 logon time could be measured in minutes.  So I tidied up my Roaming Profile.  4GB of space savings later, I was removing the last of the files in the 5 to 20MB range.  One of these files was NTUSER.DAT.START.

NTUSER.DAT is a copy of the user’s HKCU registry settings and is used with Roaming Profiles.

But this NTUSER.DAT.START file?

As it turns out, it’s created by the Citrix UPM product.

NTUSER.DAT is read at profile load and we copy it to NTUSER.DAT.START.

At the end we compare NTUSER.DAT.START and end of session NTUSER.DAT and create a difference file called NTUSER.DAT.NET.

At logoff we merge the changes in NTUSER.DAT.NET (apart from exclusions) into the NTUSER.DAT on the network file share.
Citrix Support Thread: NTUSER.DAT.NET, NTUSER.DAT.START

At logoff it supposed to be deleted.  In my case it wasn’t, and since I didn’t have any Citrix sessions running, I deleted it.