Installing & Configuring URLScan on windows servers

Download and install URLScan. Installation is straightforward. You do not need to consult any document.

Two main files (Urlscan.dll and Urlscan.ini) that we need for configuring URLScan is by default located in the folder C:\Windows\System32\Inersrv\urlscan\

By default after installation, URLScan will be configured as a global filter, ie in IIS on the top level. So the filter will be applied on all sites created in IIS. 

The other way is to apply URLScan 3.1 filter on individual site level. In that way you can configure urlscan filter for individual sites. 

For example you have 2 sites, site1 and site2 under IIS.

Open IIS and on the right hand side, open feature “ISAPI Filters”. You will see URLScan 3.1. Remove the filter.

Copy URLScan.ini and URLScan.dll from c:\windows\system32\inetsrv\urlscan\

Now right click site1 and select “browse” and paste URLScan.ini and URLScan.dll. Edit URLScan.ini according to your hardening requirements.
Now open ISAPI filter for site1 and add urlscan filter. Name : URLScan and path: path-to-site1 and move it to the top of the list. You can select ordered list and use up arrow to move urlscan to top pf list.

Restart IIS. 

Similarly you can do it for site2.

You can edit URLScan.ini to point a log directory, so that any failed url’s will be registered.

Find all open connections with port number from your computer

open command prompt and use the command netstat -an.

To filter details for a particular ip , you may use the below syntax :

netstat -an | find ” 192.168.100.1″

Or to check for a specific port netstat -an | findstr “443”

Or to get more details like the process id which is using the port,

Netstat -bano | findstr “443”

Advanced audit policy in windows using auditpol.exe

Its preferred to set the advanced audit policy through command prompt/powershell other than GUI. It has to be noted that even after you apply the settings through command, in the gui it might not reflect. But that is not an issue. Thats as far as i know.

Open gpedit.msc/secpol.msc 

  • Computer configuration-security settings-security options
  • Set the policy “Audit:Force audit policy subcategory settings (windows vista or later) to override audit policy category settings” to “Enabled”.

To get full information of advanced audit policy on a server, use the command

  • Auditpol.exe /get /category:*

In that you can see categories and sub categories listed with the status success/failure/not configured.

Few examples below :

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable /failure:enable

The below command will enable only success

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable 

The below commmand will set credential validation to “no auditing”

  • Auditpol.exe /set /subcategory:”credential validation” /success:disable /failure:disable

You can group all of them and save it as a power shell script or a bat h file and run it on required machines.
Please refer to the microsoft link for detailed info : https://technet.microsoft.com/en-us/library//dd408940(v=ws.10).aspx

Remotely log off a rdp session/log off user remotely

Open command prompt with a user name that has access to remote server. If local and remote server are in workgroup, its easier if you have same account with password in both servers. Either you should log in with the account name on local pc and open a command promt or you can run as different user and open command prompt.

Qwinsta /server:servername or ipaddress

It will list you all the logged on sessions on the remote server. Now using the session id, we can log off the user from remote server.

Qwinsta /sessionid /servername or ipaddress

Windows Server update services – Troubleshooting

  1. Telnet wsus server on port 80 (default) or other as per your environment.
  2. Check windows update log in the location c:\windows\windowsupdate.log
  3. Check if the group policy is correct , gpedit.msc – Local Computer Policy – Computer Comfiguration – Administrative Templates – Windows Components – Windows update –  a)check “specify intranet microsoft update service location” – It should point to your wsus server and the port number should be correct b) Check if “client-side targeting is enabled” (If enabled, the computer will appear under the group name mentioned in wsus server, if not enabled ignore).
  4. Check the proxy settings.
  5. Check firewall.
  6. Delete the software distribution folder from the location c:\Windows\SoftwareDistribution and run the command wuauclt.exe /detectnow.

Move local users from Windows Server 2003 to windows server 2008R2/Windows Server 2012R2

Unfortunately to move local user accounts from windows server, we cannot use USMT.

AIM: 

To move local user accounts and the groups associated with each user account.
Source : Windows server 2003 sp2
Destination : Windows Server 2012 R2

HOW TO:

In 2012 server, install the feature ” windows server migration tools”
browse to c:\windows\system32\servermigrationtools\
Execute the below command
.\smigdeploy.exe /package /architecture x86 /os WS03 /path c:\deploy

Now copy the c:\deploy to 2003 server

In the 2003server, open command prompt, browse to c:\smt_ws03_x86 and execute the below command
smigdeploy.exe
Wait till it opens a powershell window.

In the powershell window, run the below command
export-smigserversetting -user all -group -path c:\win2k3users

Copy c:\win2k3users folder to 2012 server.

In 2012 Server
Open server manager – Tools – Windows Server Migration Tools – Windows Server Migration Tools – This will open a powershell window

Run the below command
Import-SmigServerSetting -User All -Group -Path c:\win2k3users –Verbose

Now all users are imported.
After import, all user accounts will be disabled.All the user accounts migrated will have no password associated. You can login without any password . Remember to enable password for all required accounts.

Find serial number of windows PC

To find serial number of PC running on windows OS , just open powershell and run the below command

get-wmiobject win32_bios

OR

gwmi win32_bios