Building a lab to test some Windows services , AD, DNS, DHCP, ADCS, etc. in my VMware ESXi 6 environment, to get it running smoothly and reduce some headache, I used following tricks to make my life easier.

Most of work has to be done by Group Policy Management Editor. If you are running in a domain environment, create this setting accordingly in a GPO, otherwise configure the local GPO (gpedit.msc):

Edit Default Group Policy
Launch Group Policy Management

Note: In order to refresh the policy type the following command: “gpupdate /force”  in the CMD window and click ENTER.

1. Disable Password Complexity Verification
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policy -> Password Policy -> Password must meet complexity requirements -> Disabled

2. Disable Ctrl+Alt+Del
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Interactive Logon: Do not require CTRL+ALT+DEL

3. Disable windows auto-lock timeout 

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Interactive logon: Machine inactivity limit

If you wannt prevent lockout set it to zero, keep in mind the security impact this change can have dependent on your environment.

4. Disable IE Enhanced Security Configuration
In Windows Server 2012, advanced security is automatically enabled for Internet Explorer, which can interfere with downloading the software or browsing Internet. You can disable advanced security for Internet Explorer in Server Manager as follows: Open Server Manager and on the left side, click Local Server . On the right side, click the On link next to IE Enhanced Security Configuration in the Properties section.

5. Command Line : Server Configuration
SCONFIG was initially developed for Microsoft Hyper-V Server 2008, a free virtualization platform that is based on Windows Server 2008 RTM Core and that has the Hyper-V role pre-installed. There have been clients who have gone ahead and copied the script onto their Core installations on other machines. Since then, SCONFIG was made a  part of the R2 release of Windows Server 2008.

With SCONFIG you can manage many aspects of the Server Core machine. SCONFIG dramatically eases server configuration for Windows Server 2008 R2 core deployments. With SCONFIG, you can easily set your system up, get it on the network so you can easily manage the server remotely.

To run SCONFIG simply enter sconfig.cmd in the command prompt window, and press Enter.

Options:
1) Domain/Workgroup
2) Computer Name
3) Add Local Administrator
4) Configure Remote Management
5) Windows Update Settings
6) Download and Install Updates
7) Remote Desktop
8) Network Settings
9) Date and Time
10) Help improve the product with CEIP
11) Windows Activation
12) Log Off User
13) Restart Server
14) Shut Down Server
15) Exit to Command Line

6. CredSSP Encryption Oracle Remediation Error – Remote Desktop Connection
服务器远程连接发生身份验证错误解决方案


The recent Windows 10 updates released in May 2018 have introduced some improvements to the security of some protocols, eliminating problems related to known vulnerabilities. Among these, new security rules have been introduced on some CredSSP protocol vulnerabilities in the RDP authentication phase.

Unfortunately this has caused for a large number of users the appearance of the following error when making a remote connection via RDP:问题描述一:服务器远程连接发生身份验证错误,要求的函数不受支持解决方案

Solution:

  • Click on Start, then Run (oppure tasto Windows + R) and type gpedit.msc
  • In the mask that will appear, select COMPUTER CONFIGURATION –> ADMINISTRATIVE SETTINGS –> SYSTEM –> CREDENTIALS DELEGATION; once there, select CredSSP encryption oracle remediation in the rightmost section of the window.
  • In the modal window that will appear, select ENABLED and then, in the dropdownlist below, select VULNERABLE, just like in the screenshot below:
“计算机配置”->“管理模板”->“系统”->“凭据分配” 设置名称”加密 Oracle 修正”为已启用和易受,并确定就可以了。


问题描述二:通过以上方法出现“加密Oracle修正”策略路径缺失解决方案
电脑上根本找不到”加密 Oracle 修正”这一项,也没有微软最近更新的那个KB4103718补丁,使用修改注册表的方法。
  • Click on Start, then Run (oppure tasto Windows + R) and type regedit
  • Navigate through HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\
  • Create the AllowEncryptionOracle key (or change it, if already present) by setting its value to DWORD 2 (the default value should be 1).
  1. 打开注册表,快捷输入 “regedit”(类似找命令提示符 输入 cmd 一样)
  2. 找文件夹 路径:[HKEYLOCALMACHINE]\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters        一般到System 后就没有了,可以自己手动创建文件夹。
  3. 然后再最底部文件夹里面 新建 DWORD(32)位的。 文件名 “AllowEncryptionOracle” ,值 : 2
  4. 最后点 保存 就可以登陆远程桌面了 (如有必要,可以重启一下)
  5. 如果嫌弃以上步骤麻烦,直接复制以下内容到记事本(命名随意),把txt后缀改成reg,打开运行,即可自动导入到注册表。
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
    "AllowEncryptionOracle"=dword:00000002

Reference:

7.Configure Windows Server NTP Server

配置时间NTP服务器

1

①在DC服务器上输入“regedit”,打开注册表,找到:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters将Type的值修改为“NTP

2

②修改HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config将announceFlags值改为5:

3

③修改HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer将Enabled值改为1





4④重启windows time服务
⑤把防火墙关闭,或者在CMD命令提示符下输入:“netsh firewall add portopening protocol = UDP port =123 name = NTPSERVER”来放行这个端口的流量。

8. GPO Deploy MSI/MST package Error

Sometimes, even you set group policy to deploy a MSI/MST package correctly, you might still get problems to remote deploy the package.

here are some common solutions I had it before

  • Enable “Computer Configuration\Policies\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon” 
  • Enable “Computer Configuration\Policies\Administrative Templates\System\Group Policy\Specify Startup policy processing wait time” set to at least 30 seconds. Default 120 seconds might be too long.
  • Make sure you can install the package on one of your client through distribution point manually. Just open share folder from remote client, and manually install the package you need to deploy through gpo to see if there is any error. common error is the remote client is missing certain version’s .net frameworks. 

Some group policy troubleshooting commands:

  • gpupdate /force
  • rsop.msc
  • gpresult /s gppolicy.html

note: use PDG free software to deploy software/script/application

By Jonny

Leave a Reply