I know I can use Set-NetFirewallProfile –Enabled False to turn off the firewall but if I restart the server, the firewall becomes enabled. The only thing that works if if I edit the local group policy (computer config -> admin templates -> network -> network connections -> windows firewall -> standard profile -> "Windows Firewall: Protect all network connections" set to Disabled).
Does anyone know how I can do the above steps in a Powershell command?
What I generally do is have a standalone DC just for creating group policies to apply to my images prior to domain join. You can create a GPO with the settings to off in the firewall, export it and apply it with localgpo.exe as a last step. that should overwrite any settings enabling it. then run NETSH ADVFIREWALL SET ALLPROFILES STATE OFF to disable the active profiles, and never turn the service off. It's should be named better, like Windows Firewall and Network Filter service or something. Lots of APIs in the windows env rely on it. Also, you could create domain policies on the target domain to override local settings as well, so if you want a template to have the FW on until domain join.
Remember
L S D O
::Order of policy application
Local
Site
Domain
OU
Microsoft LGPO Reference
Related
We are in the process of turning off NTLM in our environment for both inbound and outbound traffic via GPO. In our lab testing we have encountered the following when blocking inbound NTLM on a remote host:
RDP'ing to the remote host with inbound NTLM blocked via cross-forest generated a CredSSP error message.
Setting Encryption Oracle Remediation to either Mitigated or Vulnerable as a workaround did not work.
Turning off NLA on the remote host as a workaround will allow cross-forest RDP
I have tried applying "Allow delegating fresh credentials" via policy on the remote host but it is still getting the CredSSP error
I have also tried setting the policy on the remote host to use SSL for "Require use of specific security layer for remote (RDP) connections", and I still got the same CredSSP error.
What did work is if I try to RDP from the same forest to the remote host, it will allow the connection and I can confirm it is using Kerberos for RDP instead of NTLM.
Another observation is once the same forest RDP worked on the remote host, cross-forest RDP connection on the remote host with the blocked inbound NTLM will now work.
Has anyone encountered something similar like this before?
If so, has anyone found a solution for cross-forest RDP to work on a remote host with blocked inbound NTLM without the need to pre-auth on the remote host in the same forest?
The Encryption Oracle Remediation error is a red herring because it uses the same error code as the NTLM is not available error. Unless you haven't patched in 3 years it'll likely never be the Encryption Oracle Remediation issue. It's really just that it tried to fallback to NTLM and policy said no.
In all likelihood the issue is that the client can't find or communicate with a domain controller to do NLA.
The client must find the user's domain first (domain A). From there it authenticates their password. It then asks to get a ticket to the machine. The machine isn't in the user's domain so it creates a referral ticket to where it thinks the machine is (domain B).
The referral is handed back to the client and the client tries to find a DC to where the referral is supposed to go (domain B). The client sends the referral to domain B and asks for a ticket to the machine. The domain controller either finds the machine and issues a ticket for it, or says it doesn't know and offers a referral to another domain (domain C) and you try again, or it just fails saying no machine can be found.
All of this occurs from the client's perspective, not the target machine's perspective. This happens before the client even pings the target machine (ish). This is why disabling NLA appears to resolve the issue.
So there are a handful of reasons why this happens:
You used an IP address -- this is a straight-to-NTLM scenario. Kerberos doens't do IP addresses by default. You can turn it on, but it won't scale.
Client can't communicate with a DC in user's domain (domain A). Networking issue, client needs line of sight to domain controller, plus DNS.
Client can't communicate a with DC in the target machine's domain (domain B). Still a networking issue, client needs line of sight to domain controller, plus DNS.
You're not providing a proper fully qualified name and the user's DC can't figure out what forest it should refer to. You can enable Forest Search Order and it'll maybe help, or you can type in the fully qualified machine name.
This isn't an exhaustive list but these are the most common causes.
References:
https://syfuhs.net/windows-and-domain-trusts
https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop
I also had a similar issue when using the DOMAIN\username login ; using the UPN (username#domaine.com) worked for me.
My understanding is using the UPN allows the client to know the DNS domain name, which then allows it to discover the DC of the remote domain through DNS resolution.
NB : my setup was from a workgroup server so not exactly the same as yours; YMMV.
I'm having hard time to make Amazon Workspaces multiple instances to connect other.
Here is the detail. I created 2 workspaces, say instance A and instance B.
I just want to make sure if I can ping from A to B, but no luck.
Why can't I do such a very simple thing? Is there any configurations needed other than disabling firewall on the B?
Could you please, help me on this?
As every resource within a AWS VPC, WorkSpaces use security groups that are attached to the network interface. By default there are no inbound connections allowed at the security groups attached to a WorkSpaces, connectivity between resources without opening anything will never work.
You can add a security group with inbound rules to your WorkSpaces, but be careful with that! (look at the directory config which it is).
From: Security groups for your VPC
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
When you create a new security group, it has no inbound rules.
Therefore, no inbound traffic originating from another host to your
instance is allowed until you add inbound rules to the security group.
From: Security Groups for Your WorkSpaces
You can add a default WorkSpaces security group to a directory. After you associate a new security group with a WorkSpaces directory, new WorkSpaces that you launch or existing WorkSpaces that you rebuild will have the new security group.
You can also add this new default security group to existing WorkSpaces without rebuilding them, as explained later in this topic.
I have a scheduled task which extract ip address from the list of failed login attempt on a sql machine, and update a firewall rule with something like this:
netsh advfirewall firewall set rule name="BlockIpFromSQLFailedLogin" new remoteip="192.168.0.1,192.168.0.2,192.168.0.3" action="block"
But it does not immediately have effect. After a while the firewall seems to reload it's configuration and finally starts blocking access for the new added ip addresses.
How can I force the firewall to immediately refresh and start blocking them?
I can see a similar behavior from the UI of windows advanced firewall, because after running the script if I open the rule and open the scope I can see the old list of ip address. If I click "refresh" the list is updated and the ip are blocked.
I can't seem to find how to force the firewall to refresh from a powershell script.
Anyone knows how to do it?
We've an AD Domain on Server 2008R2 (objectVersion 47) and running at 2003 functionality. Running commands on PowerShell v5.0.10586.117
IPSec policies and associated IP filter lists are used just for IP filtering (no encryption).
I believe all IPSec filter lists and policies are domain wide, GPOs only handle which single IPSec policy to apply?
I've used whatever google-fu I have on how to enumerate the many IPSec IP filters we have on domain/GPO and cannot get a meaningful result.
Can get Windows Firewall with Advanced Security results successfully using Get-NetFirewallRule and Show-NetFirewallRule.
Tried these commands Get-NetIPsecRule and Show-NetIPsecRule
Using their -PolicyStore argument such as:
# Always results in empty even if the GPO in question has a policy assigned.
# However am looking for all IP filters specified (which are domain wide as far as I can see)
Get-NetIPSecRule -PolicyStore domain.fqdn.com\GPO_Friendly_Name
# Fails as no GPO is specified
Get-NetIPSecRule -PolicyStore domain.fqdn.com
netsh commands so far have been on local machine or a remote machine which doesn't work for this situation.
Please feel to correct my above assumptions if they're wrong.
Any help would be appreciated! Thank you!
I have multiple machines in a workgroup. Each has the same admin user and password and I need to change the password in all of them
The part of the script that does this is:
$user = [adsi]"WinNT://$computer/$username"
$user.SetPassword($password)
$user.SetInfo()
I get this error:
The following exception occurred while retrieving member
"SetPassword": "The network path was not found.
I tried this: How to Run PowerShell Commands on Remote Computers
but it doesn't help
I turned the firewall on the remote machines off and then it worked...
The question is, what rule do I need in the firewall to allow this? I couldn't figure out which port/protocol
I believe it requires both the Remote Administration and the File & Print Sharing rules to be enabled in addition to your remote credential being part of the Administrators group (either explicitly or through Domain groups) on the target machine.
The following website shows how this can be enabled in Group Policy on a domain. You'll need both the Computer Management and the Powershell sections.
https://4sysops.com/archives/add-a-user-to-the-local-administrators-group-on-a-remote-computer/
... [Computer Management] Hence, if you want to manage remote computers with Computer Management, you have to enable the Group Policy setting Allow inbound remote administration exception for the Windows Firewall. You can find the policy in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
Allow inbound remote administration exception
... [Powershell] For this method to work, we need another firewall setting as with the Computer Management solution. You have to enable the Group Policy Allow inbound file and printer sharing exception. The policy is also located in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
Allow inbound file and printer sharing exception