Category: Terminal Services


RDS installation and HA procedure(s):

Create a RDSH FARM RDS 2012 using DNS Round Robin

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-scale-rdsh-farm

https://www.microsoftpressstore.com/articles/article.aspx?p=2346349&seqNum=4

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-connection-broker-cluster

https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1

https://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2

https://msfreaks.wordpress.com/2013/12/26/windows-2012-r2-remote-desktop-services-part-3

https://ryanmangansitblog.com/tag/high-availability/

Technet forum: https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?forum=winserverts

 

 

 

 

Advertisements

Introduction:

In summary:

  • Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers.
  • WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows.
  • WEF supports mutual authentication and encryption through Kerberos (in a domain), or can be extended through the usage of TLS (additional authentication or for non-domain-joined machines).
  • WEF has a rich XML-based language to control which event IDs are submitted, suppress noisy events, batch events together, and configure submission frequency. Subscription XML supports a subset of XPath, which simplifies the process of writing expressions to select the events you’re interested in.

A WEF connection requires a few basic components:

  • Group Policy Objects (GPOs) to control security auditing and event logging.
  • One or more servers with a configured Windows Event Log Collector service (often referred to as the “WEF Server” or “WEF Collector”).
  • Functional Kerberos for all endpoints (domain) or a valid TLS certificate (non-domain) for the Event Log Collector servers.
  • Windows Remote Management (WinRM) enabled on all workstations and servers that will forward events.
  • Firewall rules permitting WinRM connectivity between the devices.
  • GPOs to specify the URL of the WEF subscription manager(s).
  • One or more event log subscriptions. A subscription is a collection of events based on Event IDs or other criteria to tell the endpoints which event logs to forward.

The following actions occur upon first receiving appropriate GPOs on a workstation:

  • The workstation configures security auditing and starts writing to the local event log.
  • The workstation connects to the subscription manager(s) using WinRM, authenticated either via Kerberos or TLS. In both cases, transport-layer encryption is applied.
  • The workstation registers itself in the registry of the Event Log Collector, and downloads a list of all relevant WEF Subscriptions.
  • The workstation periodically sends events to the Event Log Collector(s) as defined in the subscription files. Additionally, the workstation connects on a periodic heartbeat.

As new devices are added to the domain and receive the appropriate security logging and WEF subscription GPOs, they will automatically begin forwarding events, reducing the administrative burden of ensuring log coverage and quality.

Event forwarding (also called SUBSCRIPTIONS) is a mean to send Windows event log entries from source computers to a collector. A same computer can be a collector or a source.

There are two methods available to complete this challenge – collector initiated (also called PULL) and source initiated (also called PUSH):

Parameter Collector Initiated (PULL) Source Initiated (PUSH)
Socket direction (for firewall rules) Collector –> Source Collector –> Source
Initiating machine Collector Source
Authentication Type Kerberos Kerberos / Certificates

This technology uses WinRM (HTTP protocol on port TCP 5985 with WinRM 2.0) . Be careful with the Window firewall and configure it to allow WinRM incoming requests.

WinRM is the ‘server’ component and WinRS is the ‘client’ that can remotely manage the machine with WinRM configured.

Differences you should be aware of:

WinRM 1.1 (obsolete)
Vista and Server 2008
Port 80 for HTTP and Port 443 for HTTPS

WinRM 2.0
Windows 7 and Server 2008 R2, 2012 R2, windows 10, Server 2016 …
Port 5985 for HTTP and Port 5986 for HTTPS

Tool:

https://www.logbinder.com/

Reference articles for WEF and Event forwarding:

Deploying WinRM using Group Policy: http://www.vkernel.ro/blog/how-to-enable-winrm-http-via-group-policy

Microsoft official document well documented:

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4

http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx

Fresh How-to from Intrusion detection perspective:

https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f

How-to easy to follow from Intrusion detection perspective:

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

https://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

Basic configuration:

on source computers and collector computer:  winrm quickconfig     and add the collector computer account to the local administrators group

To verify a listener has been created type winrm enumerate winrm/config/listener

WinRM Client Setup

Just to round off this quick introduction to WinRM, to delete a listener use winrm delete winrm/config/listener?address=*+Transport=HTTP

on collector computer: wecutil qc. Add the computer account of the collector computer to the Event Log Readers Group on each of the source computers

on collector computer: create a new subscription from event viewer (follow the wizard)

WinRS: WinRS (Windows Remote Shell) is the client that connects to a WinRM configured machine (as seen in the first part of this post). WinRS is pretty handy, you’ve probably used PSTools or SC for similar things in the past. Here are a few examples of what you do.

Connecting to a remote shell
winrs -r:http://hostnameofclient "cmd"
Stop / Starting remote service
winrs -r:http://hostnameofclient "net start/stop spooler"
Do a Dir on the C drive
winrs -r:http://hostnameofclient "dir c:\"

WinRS

Forwarded Event Logs:

This is configured using ‘subscribers’, which connect to WinRM enabled machines.

To configure these subscribers head over to event viewer, right click on forwarded events and select properties. Select the 2nd tab along subscriptions and press create.

This is where you’ll select the WinRM enabled machine and choose which events you would like forwarded.

Subscriptions

Right click the subscription and select show runtime status.

Error 0x80338126

Now it took me a minute or two to figure this one out. Was it a firewall issue (this gives the same error code), did I miss some configuration steps? Well no, it was something a lot more basic than that. Remember earlier on we were talking about the port changes in WinRM 1.1 to 2.0?

That’s right, I was using server 2008 R2 to set the subscriptions which automatically sets the port to 5985. The client I configured initially was server 2008 so uses version 1.1. If you right click the subscription and click properties -> advanced you’ll be able to see this. I changed this to port 80 and checked the runtime status again.

[DC2.domain.local] – Error – Last retry time: 03/02/2011 20:20:30. Code (0x5): Access is denied. Next retry time: 03/02/2011 20:25:30.”

Head back to the advanced settings and change the user account from machine account to a user with administrative rights. After making these changes the forwarded events started to flow.

Subscriptions Advanced

Additional considerations:

In a workgroup environment, you can follow the same basic procedure described above to configure computers to forward and collect events. However, there are some additional steps and considerations for workgroups:

  • You can only use Normal mode (Pull) subscriptions
  • You must add a Windows Firewall exception for Remote Event Log Management on each source computer.
  • You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.
  • Type winrm set winrm/config/client @{TrustedHosts="<sources>"} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once. Where <sources> appears in the command, substitute a list of the names of all of the participating source computers in the workgroup. Separate the names by commas. Alternatively, you can use wildcards to match the names of all the source computers. For example, if you want to configure a set of source computers, each with a name that begins with “msft”, you could type this command winrm set winrm/config/client @{TrustedHosts="msft*"} on the collector computer. To learn more about this command, type winrm help config.

If you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443. For a subscription that uses Normal (PULL mode) delivery optimization, you must set the exception only on the source computers. For a subscription that uses either Minimize Bandwidth or Minimize Latency (PUSH mode) delivery optimizations, you must set the exception on both the source and collector computers.

If you intend to specify a user account by using the Specific User option in Advanced Subscription Settings when creating the subscription, you must ensure that account is a member of the local Administrators group on each of the source computers in step 4 instead of adding the machine account of the collector computer. Alternatively, you can use the Windows Event Log command-line utility to grant an account access to individual logs. To learn more about this command-line utility, type wevtutil sl -? at a command prompt.

 

 

Video:

Tutorials:

1st: Event forwarding between computers in a Domain

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-1)—How-to-Configure-Event-Forwarding-in-AD-DS-Domains.aspx

2nd: Event forwarding between computers in workgroup

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-2)—How-to-Troubleshoot-Event-Forwarding—How-to-Configure-Event-Forwarding-in-Workgroup-Environments.aspx

Additional article talking about Event forwarding too:

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

 

View at Medium.com

Some interesting sites:

Windows 10 security hardening:

https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf

Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

 

Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Microsoft audit Policy settings and recommendations:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:

 

List of items
Setting Up Jump server
Domain joining of all windows boxes
Proper account Management Based on privileges
Usage of service accounts to run application instead of local system accounts
Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
HoneyToken Account Creation in Local boxes as well domain
GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
GPO for Jump server implementation based on PAW GPO settings
Rename existing builtin Administrator account and lockdown
Sysmon deployment and WEF setup (WEC for symon events)
Ping castle review to assess the AD security
FGPP implementation
LAPS Implementation
Process for proper cleanup of unused AD accounts
Reset of krbtgt account,domain admins account,It administrators account

Download sysmon:

NEW: Sysmon 9.0 is available ! : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and how to use it:

NEW: WMI detections: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/

MITRE framework – sysmon coverage:

Installation and usage:

https://github.com/ion-storm/sysmon-config

 

https://github.com/SwiftOnSecurity/sysmon-config

List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir

Motiba: https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/

Sysmon events table: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-events-table/

Mark russinovitch’s RSA conference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

Sysmon config files explained: https://www.bsk-consulting.de/2015/02/04/sysmon-example-config-xml/

Hide sysmon from services:

Hide:
sc sdset Sysmon D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Restore:
sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

View at Medium.com

Else other install guides:

Sysinternals Sysmon unleashed

http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon

 

Detecting APT with Sysmon:

https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

Sysmon with Splunk:

http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

https://securitylogs.org/tag/sysmon/

Sysmon log analyzer/parsing sysmon event log:

https://github.com/CrowdStrike/Forensics/blob/master/sysmon_parse.cmd

https://digital-forensics.sans.org/blog/2014/08/12/sysmon-in-malware-analysis-lab

https://github.com/JamesHabben/sysmon-queries

http://blog.crowdstrike.com/sysmon-2/

WEF: https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

logparser: http://www.microsoft.com/en-us/download/confirmation.aspx?id=24659

logparser GUI: http://lizard-labs.com/log_parser_lizard.aspx

You can manage users, sessions, processes, and terminal servers by using command-line utilities:

for w2k8/w2k8-r2: http://technet.microsoft.com/en-us/library/cc725766(WS.10).aspx

 

Command Description
Change Changes Remote Desktop Session Host (RD Session Host) server settings for logons, COM port mappings, and install mode.
Change logon Enables or disables logons from client sessions on an RD Session Host server, or displays current logon status.
Change port Lists or changes the COM port mappings to be compatible with MS-DOS applications.
Change user Changes the install mode for the RD Session Host server.
Chglogon Enables or disables logons from client sessions on an RD Session Host server, or displays current logon status.
Chgport Lists or changes the COM port mappings to be compatible with MS-DOS applications.
Chgusr Changes the install mode for the RD Session Host server.
Flattemp Enables or disables flat temporary folders.
Logoff Logs off a user from a session on an RD Session Host server and deletes the session from the server.
Msg Sends a message to a user on an RD Session Host server.
Mstsc Creates connections to RD Session Host servers or other remote computers.
Qappsrv Displays a list of all RD Session Host servers on the network.
Qprocess Displays information about processes that are running on an RD Session Host server.
Query Displays information about processes, sessions, and RD Session Host servers.
Query process Displays information about processes that are running on an RD Session Host server.
Query session Displays information about sessions on an RD Session Host server.
Query termserver Displays a list of all RD Session Host servers on the network.
Query user Displays information about user sessions on an RD Session Host server.
Quser Displays information about user sessions on an RD Session Host server.
Qwinsta Displays information about sessions on an RD Session Host server.
Rdpsign Enables you to digitally sign a Remote Desktop Protocol (.rdp) file.
Reset session Enables you to reset (delete) a session on an RD Session Host server.
Rwinsta Enables you to reset (delete) a session on an RD Session Host server.
Shadow Enables you to remotely control an active session of another user on an RD Session Host server.
Tscon Connects to another session on an RD Session Host server.
Tsdiscon Disconnects a session from an RD Session Host server.
Tskill Ends a process running in a session on an RD Session Host server.
Tsprof Copies the Remote Desktop Services user configuration information from one user to another.

Tips and tricks:

To query and list the sessions on the remote session, you could use QUser.exe or QWinsta:

C:>QUERY USER [username | sessionname | sessionid] [/SERVER:servername]

QWinsta is little different and better. It has more features and options. It comes with all flavors of Windows:

C:>qwinsta /?
Display information about Terminal Sessions.

QUERY SESSION [sessionname | username | sessionid]
[/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER]

Logoff command kicks off (logging off) the specified remote session:

C:>logoff /?
Terminates a session.

LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V]

RWinsta has same parameters and does same thing as log off command. It simply means Reset WINdows STAtion:

C:>RWinsta /?
Reset the session subsytem hardware and software to known initial values.

RESET SESSION {sessionname | sessionid} [/SERVER:servername] [/V]

 

 

Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon

Option 1 — WMI:
PS C:\> wmic /node:”10.10.10.10″ process call create “powershell -noprofile -command Enable-PsRemoting -Force” -Credential Get-Credential

Option 2 – PsExec:
PS C:\> PsExec.exe \\10.10.10.10 -u [admin account name] -p [admin account password] -h -d powershell.exe “Enable-PSRemoting -Force”

Next…

PS C:\> Test-WSMan 10.10.10.10
PS C:\> Enter-PSSession 10.10.10.10
[10.10.10.10]: PS C:\> Set-ExecutionPolicy Unrestricted -Force

Then…

Option 1 — Execute locally in-memory, push evidence to a share, and lock the host down:
[10.10.10.10]: PS C:\> IEX (New-Object Net.WebClient).DownloadString(‘https://github.com/gfoss/PSRecon/psrecon.ps1&#8217;)
[10.10.10.10]: PS C:\> Copy-Item PSRecon_* -Recurse [network share]
[10.10.10.10]: PS C:\> rm PSRecon_* -Recurse -Force
[10.10.10.10]: PS C:\> Invoke-Lockdown; exit

Option 2 — Exit PSSession, execute PSRecon remotely, send the report out via email, and lock the host down:
[10.10.10.10]: PS C:\> exit
PS C:\> .\psrecon.ps1 -remote -target 10.10.10.10 -sendEmail -smtpServer 127.0.0.1 -emailTo greg.foss[at]logrhythm.com -emailFrom psrecon[at]logrhythm.com -lockdown

Be careful! This will open the system up to unnecessary risk!!
You could also inadvertently expose administrative credentials when authenticating to a compromised host.
If the host isn’t taken offline, PSRemoting should be disabled along with disallowing Unrestricted PowerShell execution following PSRecon

http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx

Windows XP/2003/2012 and greater support drive mapping back to the client workstation during a Terminal Services (Remote Desktop) session. This means you can copy files from the server to the client and vice versa.

Each volume (removable, fixed or network) available on the client workstation is mapped (A for drive A:, C for drive C:, X for drive X: etc) and the remote Terminal Services session inherits the user’s permission. So if you are logged on to the workstation as user A and you log in to the Terminal Services server as user B, the session will have access to the drives according to A’s permissions.

Drives can also be mapped like a network drive. The client drives are accessible as \\TSCLIENT\C. Note the client workstation’s machine name is not used, it is always referenced with the generic name TSCLIENT.

To display the files on TSCLIENT:

DIR \\TSCLIENT\C

So you can map a drive as follows:

NET USE Y: \\TSCLIENT\C

or simply use the Universal Naming Convention (UNC) syntax:

COPY \\TSCLIENT\C\MYDIR\*.XLS D:\DOCUMENTS\ 

example:

ROBOCOPY \\TSCLIENT\C\MYDIR D:\DOCUMENTS *.XLS /Z /ETA

ROBOCOPY \\TSCLIENT\C\MYDIR D:\DOCUMENTS *.* /MIR /Z /ETA /r:1 /w:1 /Log+:d:\log.txt

 

Note: If you receive an “Attempt to access invalid address” error when using the UNC path \\tsclient\c, then the problem is on the client side.

Likely, the Windows firewall is turned on and blocking file shares, or “File and Printer Sharing For Microsoft Networks” is turned off in the NIC properties, the Server service is disabled, or simple file sharing is enabled on the client

 

How to create and deploy a client certificate for MAC: http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx

Transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html

using openssl to convert a certificate format to another format: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

Exporting a private key: https://technet.microsoft.com/en-us/library/cc754329.aspx