AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

$NOCSC$–No Client Side Caching

NOCSC Twitter

No, I didn’t know that either.

So in other words, if you want to use the Server copy of a file, instead of the copy stored on the PC, you can do that by adding $NOCSC$ to the file path.
ie. \\Server$NOCSC$\<somefolder>\<somefile>
Another way of putting it, it causes the local computer to bypass the local file cache, and to grab the file from the file server.

I only found out about $NOCSC when a customer complained that their Roaming Profile was broken.  Looking at the event log I saw the strange $NOCSC$ entry

Log Name:      Application
Source:        Microsoft-Windows-User Profiles General
Date:          17/01/2016 17:15:09
Event ID:      1509
Task Category: None
Level:         Warning
Keywords:
User:          NODDYDOMAIN\BigEars
Computer:      SecurityPC
Description:
Windows cannot copy file C:\Users\BigEars\AppData\Roaming\Microsoft\Windows\Cookies\BigEars@fred.desk[2].txt to location \\server01$NOCSC$\Profiles$\BigEars.V2\AppData\Roaming\Microsoft\Windows\Cookies\BigEars@fred.desk[2].txt. This error may be caused by network problems or insufficient security rights.

DETAIL – Access is denied.

There is no Microsoft documentation on $NOCSC$ which means that it is unsupported for customer use.  The earliest reference to $NOCSC$ I can find is an event log reference in this Microsoft TechNet blog article from March 2008.   The earliest suggestion to use it, for debugging purposes, is from Microsoft’s Ned Pyle in March 2009.

It would seem that the earliest operating system to support it, is Microsoft Vista.

Passing The Hash Protection, RunAsPPL, and breaking Windows 10

Windows_10_Logo_svgIn order to improve our desktop security, I tested the “Run As Protected Process Light” functionally for LSA included in Windows 8.1.

Current attacker tools, such as WCE, gsecdump, and Mimikatz, retrieve credentials from LSASS’s memory via injecting themselves into the process or simply reading a process’s memory. Windows 8.1 introduces a new security feature that allows the user to mark LSASS as a protected process. Protected processes enforce greater access control and limit the available interactions non-protected processes can have with a protected process. For example, process injection becomes much harder because only code signed by Microsoft can execute inside of a protected process. Also, protected processes disallow any non-protected process from reading its memory (even if the user is running as an administrator or system). This breaks current attacker tools.
National Security Agency: Reducing the Effectiveness of Pass-The-Hash

“This breaks current attacker tools.”

It also broke our  Windows 10 desktops.  Even though I enabled Lsass.exe auditing to see if we had any programs which were going to cause us issues, Microsoft’s sspisrv.dll was not flagged.

Enable RunAsPPL on Windows 10, Reboot Windows 10, Watch Windows 10 go into Recovery Mode.

Thanks Microsoft.

References:
New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks
Configuring Additional LSA Protection
Security Support Provider Interface Architecture

Samba–like a dog returning …

Samba logoSamba, every time I’ve said

“Not going to write about Samba”,

like a dog returning to it’s … food …, I return to issues with Samba.

To recap, I written about the following Samba issues
Samba file copy performance
Samba causing Windows account lockouts
Samba file deletion issues
Samba & clear text passwords

Today’s post?  Samba & SMB Signing.

SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.”

So from a security perspective, SMB Signing is a good thing.

So I enabled it.

And the calls rolled in from our band of test users.  “We can’t connect to our network drives.”.  Yes, Samba was involved.

*sigh*

In one case, a Samba based server, which went end of support in 2006, and in the words of the customer “It just works.  We’ve never needed to touch it.”.  Was one of the servers which the customer couldn’t connect to.

3 months later, I’m going to have another crack at enabling SMB Signing.  This time we’ll enable for everyone, and exclude individual PCs on an exception basis.

We’ll cover most of our corporate network & get most of the SMB Signing security benefits from this approach.

References:
The Basics of SMB Signing (covering both SMB1 and SMB2)

Network drives were dropping out

grouppolicy_thumb.jpgNetwork drives were dropping out.  We were also seeing 15+ minutes slow logon times at some remote sites.

We’d mostly see the slow logon times with Windows 7.  We’d see the “network drives dropping out” issue with Windows 8.

Looking at OfflineFiles event log we saw several 1004 events logged.  Looking at the details of the event, we’d see details like:
Path \\Noddyland\CorpData$ transitioned to slow link with latency = 140 and bandwidth = 202123

Why was it happening?  The following table might help:

Operating system Slow bandwidth limit Slow latency threshold
Windows XP 64Kbps n/a
Windows Vista <nil> (opt-in policy) n/a
Windows 7 64Kbps 80ms
Windows 8 64Kbps 35ms

From the event above “transitioned to slow link with latency = 140 and bandwidth = 202123“, you can see we had plenty of bandwidth, but our network latency was too high at 140ms.  Which triggered the network share (\\Noddyland\CorpData$) to go Offline.

We fixed the issue by setting Latency=200 for \\Noddyland\CorpData$, in Group Policy Computer Configuration\Administrative Templates\Network\Offline Files\Configure slow-link mode.

References:
“Configure slow-link mode” policy on Vista for Offline Files
Configuring New Offline Files Features for Windows 7 Computers Step-by-Step Guide
Slow-Link with Windows 7 and DFS Namespaces
The “Configure slow-link mode” Policy is not taking effect

Interim Roaming Profile Writes?

WIndows 2008 R2In the Citrix Optimization Guide: User Logon, there are two lines which seem a bit cryptic:

With Windows Server 2008 R2 Active Directory, enable interim roaming profile writes.  Alternatively, use a third-party profile solution that manages multiple sessions more appropriately.

“With Windows Server 2008 R2 Active Directory, enable interim roaming profile writes.”

I can’t find a reference to interim roaming profile writes.  The closest setting I can find with Windows 2008 R2 is the Group Policy setting Background upload of a roaming user profile’s registry file while user is logged on.  According to Microsoft’s Ned Pyle, Folder Redirection should take care of the rest of the profile data, which you should be storing in known folders.

So this is the likely setting Citrix is referring to.

“Alternatively, use a third-party profile solution that manages multiple sessions more appropriately.”

In the case of Citrix, they are probably referring to the Active Write Back feature of their Profile Management tool.  With Active Write Back “Changes are copied back to the network profile when updated files are closed, subject to no further updates in a window of 10 seconds after the close“.

References:

Group Policy Logging on Vista/Windows 7,8,10

group_policy_failedAt the end of “Our roaming profiles aren’t being saved …”, I wrote that

For Windows Vista and later, the log information is stored in the Event Log.  Under Applications and Services Logs\Microsoft\Windows\Group Policy\Operational.  Further information of this can be found in this Microsoft Technet post, Group Policy Logging on Windows Vista

Well it is in the event log, but there is another .log file.  You can enable the Group Policy Client Service (GPSVC) log file.  It seems to solely provide information about what Group Policy settings are being applied.

GPSVC(1278.1dfc) 15:09:59:476 DebugPrintGPOList2: Options: 2, GPOName: {31B2F340-016D-11D2-945F-4FB98400C0F9} DisplayName: Default Domain Policy
GPSVC(1278.1dfc) 15:09:59:483 PrintGPWMIInfo: WMIInfo: GPOName:{15A0E08F-4917-F60B-8358-8B78E802A8B7}, QueryId:{81430147-9924-9351-456D-2329BF3F317F}, NameSpace:noddyland.inside
GPSVC(1278.1dfc) 15:09:59:483 PrintGPWMIInfo: WMIInfo: bFilterAllowed: TRUE, Rules:1;3;10;108;WQL;root\CIMv2;select * from Win32_OperatingSystem where (Version like "5.1%" or Version like "5.2%") and ProductType = "1";
GPSVC(1278.1dfc) 15:09:59:484 GetFgPolicySettingImpl (bSync: 1)
GPSVC(1278.1dfc) 15:09:59:485 SaveGPOsToLocalCache(Machine): Server SKU runs in sync mode, skip cache operations.
GPSVC(1278.1dfc) 15:09:59:486 GetGPOInfo: Get 5 GPOs to after filtering.
GPSVC(1278.1dfc) 15:09:59:486 DebugPrintGPOList2: Options: 0, GPOName: Local Group Policy DisplayName: Local Group Policy
GPSVC(1278.1dfc) 15:09:59:487 DebugPrintGPOList2: Options: 0, GPOName: {55DD0EE9-4A06-4707-940B-5482CB34C9EF} DisplayName: Domain Policy - Log files
GPSVC(1278.1dfc) 15:09:59:488 DebugPrintGPOList2: Options: 0, GPOName: {02263A92-9FC5-4B95-B9C0-127ECC8A6C32} DisplayName: COMPUTEROBJECT-Desktops-Everyone
GPSVC(1278.1dfc) 15:09:59:493 DebugPrintGPOList2: Options: 0, GPOName: {E1692B3D-D2DA-4DA6-8683-2663C08C6F69} DisplayName: COMPUTERUSER-User Base settings
GPSVC(1278.1dfc) 15:09:59:494 DebugPrintGPOList2: Options: 2, GPOName: {3140B2F3-016D-11D2-945F-00CFB98044F9} DisplayName: Default Domain Policy
GPSVC(1278.1dfc) 15:09:59:494 GetGPOInfo:  Leaving with 1
GPSVC(1278.1dfc) 15:09:59:495 GetGPOInfo:  ********************************
GPSVC(1278.1dfc) 15:09:59:496 ProcessGPOs(Machine): Get 5 GPOs to process.
GPSVC(1278.1dfc) 15:09:59:496 ReadExtStatus: Reading Previous Status for extension {3378E5AC-683F-11D2-A89A-04FBB00CCFA2}

To enable the log file:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  3. On the Edit menu, point to New, and then click Key.
  4. Type Diagnostics, and then press ENTER.
  5. Right-click the Diagnostics subkey, point to New, and then click DWORD Value.
  6. Type GPSvcDebugLevel, and then press ENTER.
  7. Right-click GPSvcDebugLevel, and then click Modify.
  8. In the Value data box, type 0x30002, and then click OK.
  9. Exit Registry Editor.
  10. At a command prompt, type the following command, and then press ENTER:
    gpupdate /force
  11. View the Gpsvc.log file in the following folder:
    %windir%\debug\usermode

    Note – if the usermode folder does not exist under %WINDIR%\debug\ the gpsvc.log file will not be created. If the usermode folder does not exist, create it under %windir%\debug.

References:

What are these strange files that the Macintosh dropped on my USB stick?

Lending, or just been given a USB stick from someone, can be hazardous from your computer’s health.

You’ve heard of the car-park study where security researchers dropped a handful of USB keys in a company car-pack, and just waited for some silly people to go

“Oh look!  Free USB stick!  Lucky Me!”

And plug them into their work PC.

This post isn’t about that.

It’s about the hidden files that Apple Macintoshes drop onto your USB stick.  Not a big thing if you’re expecting it, but a bit of a surprise if you’re using a PC; and you’re not.
Deleting spotlight files

.Spotlight-V100, .Trashes, .fseventsd and .DS_Store.

These files are created by Mac OS X to assist with searching, file modification and deletion tracking and desktop incon placement.

You can safely delete them.

Reference:  Hostilefork – .Trashes, .fseventsd, and .Spotlight-V100

My final(?) SAMBA Post – File copy performance.

sambalogov1200x154.pngI’ve written a bit about SAMBA before, and I hope this will be the last time I do.

A customer was complaining recently that the file copy performance from their Windows 7 PC to one of their Unix boxes was dreadful.  But file copy performance was ok if they were copying to a Windows Server.  The customer was kind enough to provide a network capture so I could see what was going on.

Looking at the network capture, I saw that communications to the Unix boxes were using the SMBv1 Protocol, and the communications to the Windows Servers were using SMBv2.

If you Google “smb performance windows 7” you’ll find lots of complaints about Windows 7 being slower than Windows XP for Samba file copies.  It appears that SMBv1 file copies are in fact slower with Windows 7.

The solution I suggested to the customer was that they upgrade the SAMBA version on their Unix boxes to a version which supports SMBv2.  In particular, the “durable file handles” feature will fix their issues.  This SAMBA wiki page has further details.

Roaming Profiles and OneDrive for Business

OneDrive For BusinessThe customer reported that their roaming profile wasn’t saving to the network.

So I had a look.

The customer had sync’d 2GB of data using OneDrive and was storing it in their roaming profile.  The reason being something like “so it’s available wherever I log on.”

Which I understand.  But storing anything in a roaming profile becomes a trade off between portability and reliably.  Plus you can throw in “increasing network logon/logoff times when you have a larger roaming profile.”

Microsoft’s advice on this can be best described as “la la la I can’t hear you …”

For the OneDrive for Business sync app to work as designed, the following requirements must be met:

  • The application must be installed on the local computer.
  • The user must be able to write to the user profile.
  • Data that’s written to the user profile must be saved to the local hard disk and be available without a network connection.

Leong Chee Loon, MSFT Support

So Microsoft isn’t saying Roaming Profiles are not supported, but “user must be able to write to the user profile.”  But if your System Admin has set limits on how large the Roaming Profile can grow, then the user won’t be able to write to the user profile.

Or to put it another way, OneDrive for Business is not designed to be used with Roaming Profiles.

References: