Introduction to RDP – Remote Desktop Protocol

RDP or Remote Desktop Protocol is used to get a remote session into a Windows or Windows Server operating system. This unlike other tools like telnet gives you a graphical session to your remote computer, this means you can log in and get your normal Windows desktop environment.
Microsoft have released official Remote Desktop applications on the following platforms:

  • Mac OSX
  • Andoid
  • iOS
  • Windows phone

This means that you can work remotely from your mobile devices and also other platforms. While there is no official RDP application for Linux there are third party applications that will allow you to use the RDP protocol from Linux.

You can only use remote desktop to remote access Windows Pro or Windows Server products. Windows Home editions will not allow remote desktop access. You can remote from Windows Home editions into Professional editions though.

Why is Remote Desktop used

Remote Desktop is commonly used to administer Windows Servers and also in a terminal server(now called Remote Desktop Services) environment. Because the RDP application is built into server by default it is easy to set up and does not need any extra software installed on the server.

RDP security concerns

The Remote Desktop Protocol does come with some security issues. If you use RDP from an unsecured network(like free WiFi in cafe) or somebody gains access to your network the traffic can be sniffed and compromised.
It is best practice to use a VPN to connect to the local network from an outside network to encrypt the traffic, this will increase the security of your RDP connection.

Alternatives to RDP

Sometimes you will not be able to use RDP to connect to Windows computers, this could be because you just want to log into the computer once and you cannot get a firewall rule configured or because you want the end user to see what you are doing. These programs do not come included in Windows, some popular examples of these are:

Teamviewer

Team viewer has a free version if you are using it for non-commercial usage. Teamviewer works by running the teamviewer program on both computers. If you are using it in a business environment than you need to pay for a licence. With teamviewer people on both sides will be able to see what is being done.

Logmein

With Logmein you install the application on a PC and then access it through a web portal. Logmein does not have a free version if you want to use it then you will need to pay.

UltraVNC

UltraVNC is completely free and open source. It is a bit more difficult to set up, you have to install the server component on the computer you want to log into and configure some settings.

Read More →
Replies: 0 / Share:

Cannot connect to exchange server or OWA with Http Event 15021

Microsoft-Windows-HttpEvent – Event ID: 15021

An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data.

This error is because the SSL certificate is not binded to the Exchange site properly. This will stop outlook being able to connect to exchange and also if you browse to OWA or ECP you will just get a 404 error.

To fix this:

  • Open IIS Manager
  • Expand your <server name>
  • Expand Sites
  • Select “Default Web Site
  • On the Actions Pane select Bindings

Select bindings to fix exchange server

 

  • Under the Site Bindings open both https entries and add the certificate to the site

add certificate ssl small

 

Now go to your desktop and open outlook. Now you will be connected to your exchange server and be able to send and receive emails.

all folders up to date exchange

Read More →
Replies: 9 / Share:

How to fix WSUS error 800b0001

On Windows Server the error code 800B001 means that the client has the WUAgent V7.6.7600.256 and is missing a patch.

To fix this is easy, you just need to install the patch KB2734608 which you can download from http://support.microsoft.com/kb/2734608.

After installing the update you will need to re-index the WSUS database. To do this you will need to use the sqlcmd utility and also download the WSUS re-index script(you can download that from here):

sqlcmd -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query –i <scriptLocation>\WsusDBMaintenance.sql

The call to sqlcmd needs to have a -I (capital i) parameter, which tells SQL to run the script with QUOTED_IDENTIFIERS enabled. and <scriptlocation> needs to be the location of the downloaded script.

Once that is done you will also want to run the WSUS server cleanup wizard by following these steps:

  • Open the WSUS administration console
  • Expand the server in the left pane and select options
  • In the options window select server cleanup wizard

Now open a command prompt and run the command:

iisreset

Now to complete this fix then restart the following services:

  • WSUS Service
  • SQL Server Service
Read More →
Replies: 1 / Share:

SQL 2012 cannot connect ot wmi provider

Error: Cannot connect to WMI provider. You do not have permission or the server is unreachable. Note that you can only manage SQL Server 2005 and later servers with the SQL Server Configuration Manger. Invalid class[0x80041010]

The other day I went to open the SQL Configuration Manager on our SQL Server 2012 installation and I got the following error message:

“Cannot connect to WMI provider. You do not have permission or the server is unreachable. Note that you can only manage SQL Server 2005 and later servers with the SQL Server Configuration Manger.
Invalid class[0x80041010]”

So I know that I had no SQL Server 2005 so that little warning doesn’t apply to this.

According to Microsoft this error happens because

the WMI provider is removed when you uninstall an instance of SQL Server. The 32-bit instance and the 64-bit instance of SQL Server share the same WMI configuration file. Which is strange because I haven’t uninstalled any instances of SQL Server from the server.

Fix the Cannot connect to WMI provider error:

To fix this SQL error you need to:

Open a command prompt, type the following command, and then press ENTER:
mofcomp “%programfiles(x86)%\Microsoft SQL Server\number\Shared\sqlmgmproviderxpsp2up.mof”

The value of number depends on the version of SQL Server make sure you change the value according to the server table below:

Microsoft SQL Server 2012 110
Microsoft SQL Server 2008 R2 100
Microsoft SQL Server 2008 100
Microsoft SQL Server 2005 90

Now restart the WMI service for the changes to take affect.

Now you should be able to run the SQL Server Configuration Manager properly.

 

Read More →
Replies: 1 / Share:

By default in Windows Server 2012 and 2012 R2 when automatic updates finish you have 3 days to reboot the server. After this time period next time you login to the server it will give you the message:

Restarting in 15 minutes. Windows server 2012 R2
Restarting in 14 minutes, 49 seconds Your PC needs to restart to finish installing important updates. If you’ve already saved anything, you can restart now. Otherwise, you should take a moment to save your work.

The problem with this is that you may not log into your server for weeks then all of a sudden you need to make a change or check some settings so you log into your Windows Server 2012 box or VM and then this message pops up. This can cause a whole lot of problems for a server that is in production, especially if this is a dedicated windows server for a specific application as this will restart the server and not allow users to interact with it.

I have not found any way to cancel this pending reboot.

I have tried using the command:

shutdown /a

This just gives a message saying no pending shutdown.

I read on some frorums people said to stop the Windows Update Service, this didn’t work for me, the server still rebooted.

 

Preventing the automatic reboot

Seems the only way to disable this really annoying feature is to configure the automatic updates policy.

You will need to make sure that you have this RollUp 2883201(http://support.microsoft.com/kb/2883201) installed. If you are using Windows Server 2012 R2 it should be included already.

Now you will need to open group policy and on a GPO that is allocated to your Servers enable the setting

Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time

This will make your server reboot after downloading and installing updates. You will need to make sure that the server is set to install updates in at the maintenance time.

 

This video shows you how to setup the Group Policy so that the computer or server does not randomly reboot but installs the updates and reboots at a scheduled time

 

 

Read More →
Replies: 8 / Share:

I accidentally deleted all of the public folders today from a public folder database. Pretty silly yeah? But this is the reason I am always going on about having a solid backup routine.

So I have my backup which I took right before I started working.

I thought now I just need to find the walk through on how to actually restore a public folder database. This wasn’t very easy to find and I actually ended up just trying something and it worked.

I found one that said to use PFDAVAdmin to restore them but when I tried it just wouldn’t find any. It would just crash out when you tell it to Show Deleted Subfolders. I would get the following error:

Unhandled exception has occurred in your application. if you click Continue the applicaiton will ignore this error and attempt to continue. If you click quit, the application will close immediatley.

Name cannot begin with the ‘0’ character, hexadecimal value 0x30. Line 1, position 441

 

Error when try to see deleted public folders
Error when try to see deleted public folders

 

The method I used to Recover the Public Folder Database

  • Restore Exchange to a different location from a backup using Windows Server Backup
  • Open the Exchange Management Console
  • In the left menu thing navigate to Microsoft Exchange > Server Configuration > Mailbox
  • In the center it will have the Server list. Select the Server
  • Below where you selected the Exchange Server select the public folder database you want to restoredismount exchange public folder database
  • Then you need to dismount the database by selecting Dismount Database on the right hand actions panel
  • Now the Public Folder Database is dismounted select the Properties button just under where you selected to dismount the database
  • At the bottom there is a check box that says “This database can be overwritten by a restore” check that box and press apply.Allow restore of public folder database
  • Now open windows explorer and go to the directory that you have restored the exchange database to and find the public folder database. It is usully located under <Drive Letter>:\Program Files\Microsoft\Exchange Server\Mailbox\<Storage Group Name>\ but it should tell you the path under database file path in EMC
  • Copy the restored copy of the Public Folder Database
  • Navigate to the public folder database that you just dismounted
  • Rename the original database (I usually just put a .old at the end of the filename)
  • Paste the restored Public Folder Database file and make sure the name is the same
  • Now go back to Exchange Management Console and select re-mount

If Mounting The Public Folder Database Fails

  • Open the Exchange Management Shell (the powershell command for exchange)
  • Navigate to the folder that your public folder database is in
  • Repair the database by running the command (replacing <PFD name> with the name of your public folder database file name)

eseutil -p <PFD name>.edb

  • Open the Exchange Management Console and mount the public folder database
Output of the eseutil -p command
Output of the eseutil -p command

 

 

Read More →
Replies: 16 / Share:

I tried to add a user mailbox on an Exchange 2007 Server and got the following error:

The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error.

Exchange Management Shell command attempted:
New-MailUser -Name ‘user’ -Alias ‘user’ -OrganizationalUnit ‘domainname.local/Users’ -UserPrincipalName ‘[email protected]’ -SamAccountName ‘user’ -FirstName ‘user’ -Initials ” -LastName ‘name’ -Password ‘System.Security.SecureString’ -ResetPasswordOnNextLogon $false -ExternalEmailAddress ‘SMTP:[email protected]

 

This had happened just after I disconnected an old Exchange Server during the migration process to Exchange 2013. Turns out this error can be caused by the default Public Folder Database being pointed in the wrong location or just your a problem with Microsoft Exchange System Attendant Service.

If it is a problem with the Microsoft Exchange System Attendant Service then you need to restart it by:

  • Typing “services.msc” in the run box
  • Then find the Microsoft Exchange System Attendant service
  • Select Restart

Check where the default public folder database is by:

  • Go to Organization Configuration > Mailbox.
  • Select the mailbox database that you want to change the default public folder database.
  • Right click the database and select properties
  • In <Mailbox Database Name> Properties, click the Client Settings tab.
  • Next to the Default public folder database box, click Browse.
  • In Select Public Folder Database, select the public folder database from the list of public folder databases, and then click OK.

Now if you add the user mailbox again it should have resolved the list service failed to respond error.

Related Posts:

How to restore a public folder database manually in Exchange

Administrator Does Not Have Exchange Admin Rights

Read More →
Replies: 3 / Share:

Why Harden Windows Security On Your Network

Having a secure environment can significantly reduce the amount of break/fix work that you need to do. Things that securing your computers can help prevent are:

  • Viruses
  • Bloatware
  • Securing files and company data
  • Protecting against accidental data loss

This article will discuss how to secure Windows computers that are members of Active Directory and we will discuss securing these workstations using group policy settings. We will also discuss ideas on educating users so they have some awareness of computer security concepts.

I am not saying that you need to do every single item on this list, you can just pick what is right for your domain and what your users will accept. I am also not saying that doing these things will protect you 100% from security breaches but doing them will keep your network more secure than what it is without any of these domain security tips.

How To Secure Windows On Your Domain

Not Allowing Local Administrator Rights

By not allowing users to have local administrator rights this will not only stop them from installing unwanted software on their computers but it will also stop any websites that are compromised using the local user account to install malware or viruses.

Remove The Control Panel

You can remove users from having access to the control panel. This will stop users trying to customise their workstations or changing settings that they just shouldn’t be messing with.

You can disable users to have access to the control panel or you can just allow the users to have access to specific parts using group policy. To change these settings you need to go to the group policy editor and edit the policy (Or create a group policy object and deploy it to users that you want to restrict) that is for the users that you want to restrict.

Under the policy node:

User Configuration\Administrative Templates\Control Panel

There will be 4 options:

  • Always open All Control Panel items: This setting allows users full access to the control panel
  • Hide specified Control Panel items: This setting will hide control panel items that you specify in this setting.
  • Show only specified Control Panel items: This will hide all control panel items except the ones that you specify.
  • Prohibit access to the Control Panel: This will remove users rights completely to the control panel. They will not even see the option to open the control panel in the start menu.

Anti-Virus

Use a good Anti-Virus software. Make sure the software is kept up to date and that users do cannot disable or edit any of the settings in the Anti-Virus.

Spam Filter

Using a good spam filter is very important. Lots of malicious attacks are done using email, some are phishing scams and some are links to viruses or malware. If you have exchange there are many different spam filters available that will link directly on your exchange server, if you are using a hosted email solution than most email hosts will have a spam filtering service.

Firewall

Make sure the Standard Windows Firewall is enabled and that users do not have permissions to edit the firewall settings. This will stop users from making their own firewall rules to allow programs through. You can disable users access to the firewall and specify domain wide firewall rules in group policy.

I also recommenced using a hardware firewall on the edge of your network to protect the whole network from outside attack sources.

UAC – User Account Control

Make sure users have UAC enabled. If on a domain environment you can enable UAC through group policy. The settings to do this are under “Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Internet Explorer Security Zones

Internet Explorer is often used as an attack vector. You can set up domain wide Internet Explorer security zones under “User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security“, in the security zones. Be sure to add any sites that you want to trust.

You can specify the home page under “User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\URLs“, this will stop users being able to use different sites for their homepage. This also stops other software hijacking your users homepage and setting it to a fake search engine.

Set Up Software Restriction Policies

A software restriction policy only allows users on your domain to run software that is approved or it can be used to disable software from running in a specific folder. This can help to:

  • Fight viruses
  • Regulate which ActiveX controls can be downloaded
  • Run only digitally signed scripts
  • Enforce that only approved software is installed on system computers
  • Lockdown a machine

Read here for an in depth description of software policies.

Disabling users from running programs from the %appdata% folder in the users profile is a good step and can help prevent viruses like cryptolocker( See here for how to defend against cryptolocker) and malicious software running from emails. You can find the settings for software restriction policies in group policy under “Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies”.

Only  Allow Users To Log Onto Specific Computers

In Active Directory you can specify users to only be allowed to log on to certain computers. You can lock this down to specific users on specific computers or you can only allow certain groups to log onto the computers.
Example: You only allow Accountants to log onto computer in the finance department.

Keeping Third Party Software Up To Date

Alot of commonly used software have security holes in them. Software like java, acrobat reader and adobe flash should all be kept up to date. This can be done though group policy. However you cannot install EXE files through group policy, but luckily most commonly used software is available as an MSI package which can be installed via group policy.

To do this:

  • Put the MSI package in a shared folder.
  • Create a GPO that is linked to the computers that you want the package deployed to.
  • Then edit the GPO and navigate to “Computer Configuration\Policies\Software Setting\Software installations“.
  • Right click inside the empty space and select “New>Software Package
  • Select your MSI package and check assigned
  • Close the group policy editor

 

Read More →
Replies: 0 / Share:

Seems like Microsoft keeps taking ideas from Linux, which is a good thing as now we can install and remove the Graphical User Interface or add it on a server core installation.

You may want to do this if when you installed your server you installed the Graphical version and now you no longer need it. This will make your server run lighter then it does with the GUI enabled. If you have a server core you can also install the GUI with a simple PowerShell command.

There are two ways to remove the graphical user interface from your Server 2012 or Server 2012 R2 installation. You can do it from both by  the shell using Powershell and graphically by using Server Manager

Removing GUI From Server 2012 R2 Using Server Manager

  • Open Server Manager
  • Select “Manage” (on the top right hand corner)
  • Select “Remove Roles and Features”
  • Then you will need to select your server and click “Next”
  • Then you will be greeted by the Remove Roles page since the GUI is not a Server Role you can just select “Next”
  • Now you are on the Remove Features page. Unselect the “User Interfaces and Infrastructure” and hit the “Next” button
  • The next page you can select the server to reboot automatically. If you want it to reboot automatically then leave it checked, if you want to reboot your server manually then uncheck the check box.
  • Once your server boots up you will be in Windows Server 2012 R2 Core version

 Removing GUI From Server 2012 R2 Using PowerShell

  • Run PowerShell as administrator
  • Run the command Uninstall-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
  • Now reboot your server (You can do this from PowerShell by running the command Shutdown –r -t 0)
  • Once your server boots up you will be in Windows Server 2012 R2 Core version

 

Adding GUI In Server 2012 R2 Core Installation

  • Run the command powershell that will open powershell in server core
  • Run the command Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
  • Reboot the Server by running the command Shutdown –r -t 0
  • Once your server boots up you will be in the graphical version of Windows Server 2012 R2
Read More →
Replies: 0 / Share:

This Exchange error happens when you try to access Outlook Web Access or browse the URL http://servername/OWA. This error can happen when install patches on your server or if you have had some issues with your SSL certificate(which is how it was caused for me).

When you browse the Outlook Web Access you get greeted with a message saying

Outlook Web Access did not initialize. An event has been logged so that the system administrator can resolve the issue. Please contact technical support for your organization.
The Exchange Topology service on server localhost did not return a suitable domain controller.

To fix this issue you need to:

  • Open IIS and find the site “owa”.
  • Click on the “edit settings…” button on the right hand menu bar
  • Look at the Physical Path box and copy the path(see picture below)

 

Exchange 2007 fix OWA not working
On this server it is: “C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa”
Allow anonymous access to OWA exchange 2007
Change the permissions for folders to allow read access for ANONYMOUS LOGON

Open Windows Explorer and then browse to the same location that the OWA Physical Path is located and change the permissions for the numbered folders listed below to allow ANONYMOUS LOGON to have read access to the folders.

Folders to change permissions on:

  • 8.1.240.5
  • 8.3.83.4
  • 8.3.279.5
  • 8.3.342.1
  • 8.3.342.2

Now that is done open your internet client and browse to the Outlook Web Access URL. You should see the normal OWA page not the “Outlook Web Access did not initialize.” error page.

Read More →
Replies: 0 / Share: