Blog

IT, Microsoft, Server, Windows Server

Installing Windows Server Update Services on Windows Server 2008 R2

Hi!

Along with its abundant features, Windows Server provides an awesome feat – Windows Server Update Services (WSUS), which allows system administrators to manage and deploy product updates on any Windows running machine in the organization.

There is a great YouTube video that shows how to install and configure WSUS on your Windows Server:

There is another great YouTube video to watch if you are trying to install WSUS on Windows Server 2012 R2:

It is not recommended to install WSUS on your domain controller. Also, if you are going to install it on a virtual machine, ensure that there is enough disk space. Take it from me, I installed WSUS on our SpiceWorks server and it is running really slow.

The videos above pretty much covered the topic on how to install and configure WSUS on a Windows Server, but I am going to do a quick step-by-step of the group policy I created in order for the WSUS to detect all the machines in the organization and have the updates running on each machine.

Scenario:

MASRV: Domain Controller

ASSET: WSUS Server

MALTP50: Client

Tutorial:

  •  MASRV: Configure the Group Policy settings for WSUS
    • Server Manager > Tools > Group Policy Management > right click on domain and click “Create a GPO in this domain, and Link it here..” > name it WSUS
    • Right click on WSUS > Edit > Computer Configuration > Policies > Administration Templates > Windows Components > Windows Updates
      • Double click “Configure Automatic Updates” > select Enable > click OK
      • Double click “Specify intranet Microsoft update service location” > select Enable
        • Set the intranet update service for detecting udpates: http://ASSET (since I have it on the default port, I do not need to specify the port – another option is to have SSL running, which will be on port 8530)
        • Set the intranet statistic server: http://ASSET
    • Go to cmd > gpupdate /force
  • ASSET : Update policy from MASRV
    • Go to cmd > gpupdate /force
  • MALPTP50: Update policy from MASRV and check update
    • Go to cmd > gpupdate /force
    • Go to Control Panel > Windows Update > Check for updates

Once you have forced the Group Policy, you should receive update notifications on each machine and WSUS should detect the machines within the organization.

 

Access Point, IT, Networking, RADIUS, Ubiquiti

Integrating RADIUS Server to Ubiquiti UniFi

Hi!

You have your RADIUS server configured – now what?  Now, it is time to ingrate the RADIUS server to your Access Point! Since we use Ubiquiti Unifi as the AP in our office, I will be showing you how to connect the RADIUS server to the AP. Note that a lot of APs are configured in a similar way; the main difference is the interface of the web console for each brand.

  1. Open the UniFi web console on your browser
  2. Go to Settings > Wireless Networks
  3. Click “Edit” on the SSID that you want to integrate the RADIUS server with (mine will be MA-Lab)
  4. Choose WPA Enterprise in the Security section
  5. Enter the IP Address, Port Number and the Shared Secret of the RADIUS server. Note: you should have configured the shared secret when configuring the Radius Client in the NPS.
  6. Click Save

wifi

And tada! Now your employees are able to connect to the WIFI only on their work machine!

Active Directory, IT, Microsoft, Networking, RADIUS, Windows Server

Windows 2008 R2 RADIUS Server Configuration (Part 2)

Hi!

So, last week I posted a YouTube video on how to setup and test a RADIUS server. Now, I will be showing you how to setup a RADIUS server to authenticate WIFI users. For my scenario, only Domain users and registered machines are allowed to connect to the office’s WIFI. That means that any mobile phones will not be able to connect to the internal network.

In order to do this, I first created a RADIUS server and certificate in which it will be installed in all of the registered machines. I used the following YouTube video to help me do this. Note: if you have already setup a DHCP and so on, you can fast forward to 10:52 where he shows you how to create the Domain group, certificate, and how to setup the RADIUS server.

Now, in order to allow only certain machines to connect to the WIFI, I added a few conditions to the network policy:

  • Called-ID: SSID$ [SSID means the name of the SSID that you want to have the policy configured in. For example, if you have an SSID that is named RDS, you will put RDS$ in the Called-ID field]
  • Calling-ID: ^MAC-Address-1$|^MAC-Address-2$|… [here is where you put all of the registered machines’ MAC addresses. Remember to use ‘-‘ instead of the default format of ‘:’ in between each two characters. Also, add ^ in the beginning and $| at the end of the address if you are entering multiple MAC addresses. Note: there is a 256 character limit.]

radius1.png

Next, I need to register the MAC addresses to the individual user. We can assume that each employee is only assigned to one laptop.

  1. Go to Active Directory Users and Computers
  2. Navigate to the user > right click and click Properties
  3. Go to the “Dial-In” tab > select “Control access through NPS Network Policy” > check the “Verify Caller-ID:” option > enter the machine’s MAC address that is associated to the employee (remember to use ‘-‘ instead of ‘:’ and all uppercase letter)
  4. Click Apply

radius2.png

What if the MAC Addresses exceed the 256 character limit? What if one employee uses multiple machines? No need to worry, there are ways around these problems!

Problem: You have more MAC address than the 256 character limit.
Solution: Export the NPS configuration file as a .xml, edit the file using Notepad, Notepad++, or any word/XML editor, and copy all of the MAC Address (using the same format as above) to the “Calling-Station-Id” section of the file. Once you have done so, save the file and import it back to your NPS.
Tip: To import/export the configuration file, go to the NPS console in the server, select on NPS, then go to Action on the top bar and click Import/Export Configuration.

Problem: An employee is assigned to multiple machines.
Solution: Go to ADSI Edit, navigate to the user, right click and click Properties, then enter all of the MAC addresses assigned to the user in the “msNPCallingStationID” and “msNPSavedCallingStationID” fields. Remember to use ‘-‘ in between each two characters.

And voila! Now you have a RADIUS that will authenticate a Domain user and his/her machine! In the next post, I will show you a quick tutorial on how to integrate the RADIUS server to the AP.

References:

 

Active Directory, IT, Microsoft, Networking, RADIUS, Windows Server

Windows 2008 R2 RADIUS Server Configuration (Part 1)

Hi!

For today’s tutorial, I am going to show you how to install and test a Windows 2008 RADIUS server. It is pretty simple and quick.

First of all, RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that supports centralized AAA (Authentication, Authorization and Accounting) management. It utilizes a central database to authenticate remote users. Watch the video below to get more information on how RADIUS works.

So, what will I be doing with this RADIUS server? I have created a RADIUS server to have user authentication on the Ubiquiti Unifi AP. The primary goal of this project is to have all of the official devices (laptops, servers, etc) to be connected to one SSID while the personal mobile devices be connected to another, which will be outside of the office’s local network. Users will connect to the WIFI on their official laptops and will have to authenticate themselves before being connected to the Internet. This is where RADIUS will come to play. When the user enters their username and password, Ubiquiti will send the credentials to the RADIUS server and the server will then check for authentication.

Okay, so this tutorial will be slightly different. Instead of giving you step by step instructions, I will post a YouTube video instead. I find that watching videos and following them are a lot more helpful than reading step by step tutorials. Note that there are three major steps to this tutorial – enabling the service on the Windows Server, configuring the RADIUS service (clients and policies), and testing the RADIUS login.

To test the RADIUS login, I used NTRadPing, which is a free software from Mastersoft-Group. It will allow you to test whether or not the RADIUS server that you have configured is connected. You can download the software here.

Active Directory, IT, Server

LDAP Authentication on Filezilla Server

Hey!

For this post, I will provide a tutorial on how to turn on LDAP authentication on a Filezilla server. If you haven’t heard of Filezilla server before, it is a free and easy to use FTP/FTPS solution.

By default, Filezilla server only supports local user accounts. However, since Filezilla is open-source, there is a version which allows for Active Directory Authentication.

Prior to installing Filezilla server, you want to make sure that all of the necessary ports are open between the Active Directory Domain Controller and the Filezilla server.

Configuring LDAP on server settings:

  1. Go to the site, download and run the executable installed on your FTPS server: https://sourceforge.net/projects/fzldap/
  2. Open the Filezilla server config console > Edit > Settings
  3. In the LDAP tab > check “Enable LDAP support. Beta.” > and fill the LDAP server IP Address, Port (389), and LDAP Domain > check “Enable TLS/SSL”

    filezilla server1

  4. In the SSL/TLS Settings tab > check “Enable FTP over SSL/TLS support (FTPS)” > click “Generate new certificate” and fill the necessary fields. Once you have generate a certificate, place the location of the key and certificate on the “Private key file” and “Certificate file” fields. Check “Allow explicit FTP over TLS” and the default port should be 990.filezilla server2

Enabling LDAP on a user:

  1. Go back to the server config console > Edit > Users
  2. Click “Add” to setup a new user
  3. The new username should be identical to the domain login username. For example, if my domain login username is “anindayu.pradetha”, the Filezilla user should be “anindayu.pradetha” as well.
  4. Unchecked the “Password:” option, the password field should be empty.
  5.  Check LOCAL and LDAP options in “Check password in”
  6. Setup the shared folders settings accordingly.
  7. Click OK once finish with configuration.

filezilla user

Now, you should be able to login to your FTPS server with the AD username and password! 🙂

Reference:

https://www.kiloroot.com/filezilla-server-microsoft-active-directory-ldap-authentication/

IT, Mikrotik, Network

Configuring VLAN on Mikrotik Cloud Router Switch

Hi!

After a day of trying to figure out how to configure VLAN on a Mikrotik Cloud Router Switch, I finally got it to work!

So, first thing’s first, VLAN (Virtual Local Area Network) is a neat feature on Layer 2 devices (a.k.a. switch) that offers virtual segmentation on a physical switch. In other words, we are able to segregate different networks on one physical port of the switch. This is particularly helpful when you are trying to segregate departments but don’t have enough physical ports to do so.

There are two types of ports that VLAN uses: access and trunk. Access ports are used to connect to the end-devices, whereas, the trunk ports are used to connect different VLANS.

vlan access trunk

Now, back to the post. I was trying to segregate the intranet from the local network, so VLAN came to the rescue. We were trying to figure out how to do VLANs on our Netgear switch to the Cyberoam router, however, we realized that our Netgear switch doesn’t have the capability to do VLAN routing, which allows VLANs to communicate with one another on a Layer 3 scale. So, after doing our research, we found out that Mikrotik Cloud Router Switch has the feature to do VLAN routing.

For testing purposes, here is my topology:

Cloud Router Switch:

  • Port 1 is connected to the Cyberoam router (192.168.88.2/24)
  • Port 9-16 (IT) is VLAN 20 (192.168.20.0/24)
  • Port 17-24 (SALES) VLAN 30 (192.168.30.0/24)

Cyberoam Router:

  • Port E is connected to the CRS (192.168.88.1/24)
  • Port E.20 (192.168.20.248/24)
  • Port E.30 (192.168.30.248/24)

Okay, let’s get started with the configuration:

  1. Configure the “slave” ports (the ports that are connected to the end devices) to talk to the “master” port. In our case, the master port will be our trunk port (port 1), the port that will communicate to the router and will seperate the VLANs.
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-TRUNK
    set [ find default-name=ether9 ] master-port=ether1-TRUNK name=ether9-IT
    set [ find default-name=ether10 ] master-port=ether1-TRUNK name=ether10-IT
    set [ find default-name=ether11 ] master-port=ether1-TRUNK name=ether11-IT
    set [ find default-name=ether12 ] master-port=ether1-TRUNK name=ether12-IT
    set [ find default-name=ether13 ] master-port=ether1-TRUNK name=ether13-IT
    set [ find default-name=ether14 ] master-port=ether1-TRUNK name=ether14-IT
    set [ find default-name=ether15 ] master-port=ether1-TRUNK name=ether15-IT
    set [ find default-name=ether16 ] master-port=ether1-TRUNK name=ether16-IT
    set [ find default-name=ether17 ] master-port=ether1-TRUNK name=ether17-SALES
    set [ find default-name=ether18 ] master-port=ether1-TRUNK name=ether18-SALES
    set [ find default-name=ether19 ] master-port=ether1-TRUNK name=ether19-SALES
    set [ find default-name=ether20 ] master-port=ether1-TRUNK name=ether20-SALES
    set [ find default-name=ether21 ] master-port=ether1-TRUNK name=ether21-SALES
    set [ find default-name=ether22 ] master-port=ether1-TRUNK name=ether22-SALES
    set [ find default-name=ether23 ] master-port=ether1-TRUNK name=ether23-SALES
    set [ find default-name=ether24 ] master-port=ether1-TRUNK name=ether24-SALES
  2. Add VLAN 20 and 30 to the trunk port

    /interface vlan
    add interface=ether1-TRUNK name=vlan20 vlan-id=20
    add interface=ether1-TRUNK name=vlan30 vlan-id=30

  3. Configure the master port to accept both VLAN 20 and 30 tags
    /interface ethernet switch egress-vlan-tag
    add tagged-ports=ether1-TRUNK,switch1-cpu vlan-id=20
    add tagged-ports=ether1-TRUNK,switch1-cpu vlan-id=30
  4. Configure the ports to read their respected VLAN tag

    /interface ethernet switch egress-vlan-translation
    add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=0 \
    ports=”ether9-IT,ether10-IT,ether11-IT,ether12-IT,ether13-IT,ether14-IT,ethe\
    r15-IT,ether16-IT” service-vlan-format=untagged-or-tagged
    add customer-vid=30 customer-vlan-format=untagged-or-tagged new-customer-vid=0 \
    ports=”ether17-SALES,ether18-SALES,ether19-SALES,ether20-SALES,ether21-SALES\
    ,ether22-SALES,ether23-SALES,ether24-SALES” service-vlan-format=\
    untagged-or-tagged

  5. Configure the ports to wrap the packet with the respected VLAN tag

    /interface ethernet switch ingress-vlan-translation
    add customer-vid=0 new-customer-vid=20 ports=”ether9-IT,ether10-IT,ether11-IT,et\
    her12-IT,ether13-IT,ether14-IT,ether15-IT,ether16-IT”
    add customer-vid=0 new-customer-vid=30 ports=”ether17-SALES,ether18-SALES,ether1\
    9-SALES,ether20-SALES,ether21-SALES,ether22-SALES,ether23-SALES,ether24-SALE\
    S”

  6. Configure the ports to accept respected VLAN tags

    /interface ethernet switch vlan
    add ports=”ether1-TRUNK,ether9-IT,ether10-IT,ether11-IT,ether12-IT,ether13-IT,et\
    her14-IT,ether15-IT,ether16-IT,switch1-cpu” vlan-id=20
    add ports=”ether1-TRUNK,ether17-SALES,ether18-SALES,ether19-SALES,ether20-SALES,\
    ether21-SALES,ether22-SALES,ether23-SALES,ether24-SALES,switch1-cpu” \
    vlan-id=30

  7. Configure IP address for VLANs and trunk port

    /ip address
    add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
    add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
    add address=192.168.88.2/24 interface=ether1-TRUNK network=192.168.88.0

  8. Configure gateway (Cyberoam)

    /ip route
    add distance=1 gateway=192.168.88.1

For the Cyberoam Router, I will configure port E with the IP address of 192.168.88.1/24 and add VLAN 20 (192.168.20.0/24) and VLAN 30 (192.168.30.0/24).

And voila! Devices on VLAN 20 are able to communicate with one another, however, it will not be able to communicate with VLAN 30, and vice versa.

References:

http://www.forummikrotik.com/tutorial/25703-cloud-router-switch-configuration-bonding-trunking-lacp.html

IT, Microsoft, Windows Server

Group Policy for Enabling Local Admin

Hi!

For this post, I will write about an awesome feature – group policy – that allows IT admins to control user computer configurations all from one place (a.k.a. server). I am familiar with the term, something I learned from a workshop years ago, but it wasn’t until a week ago that I’ve gotten to use it at work. It is a pretty neat feature; it saves time (no need to inspect each computer one by one anymore) and can do great damage (great for IT admins, not so great for the end users).

Group policy can be used for just about anything – enabling firewall, disabling jump drives, even  installing and assigning software in all of the computers!

Last week our IT Security Team was facing a dilemma – how to prevent users from installing non-approved software on their laptop. The solution? Removing their local admin rights and changing them into normal “Users”. Yes, the users will scream and shout, but it will prevent any malware from getting into the system..

Okay, let’s get to it!

Goal: To create a GPO (group policy object) that will allow only a handful of users to become local admins while the rest are normal users.

There are two parts to this tutorial: creating the security group (Local Admins) and creating the GPO to only allow the security group to have local admin privileges.

Creating the security group

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name (for this tutorial, I am using “Local Admins”)
  5. Add the users who can have local admin rights to this Group

Creating the GPO

  1. Open Group Policy Management Console.
  2. Right click the OU that contains the systems you want to set the local admin on
  3. Select “Create a GPO in this domain, and Link it here…”
  4. Name the GPO. I am using “Set Local Administrators”
  5. Right Click the GPO and select Edit.
  6. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    2. Right Click and select “Add Group…”
    3. Select browse and add the Administrators group
    4. Select OK
    5. Double click Administrators
    6. Select Add for “Members of this group:”
    7. Browse and find your security group. I added “Local Admins” and “Domain Admins”
    8. Close window
    9. Right Click (still on the Restricted Groups page) and select “Add Group…”
    10. Select browse and add the Local Admins group
    11. Select OK
    12. Double click Local Admins
    13. Select Add for “This group is a member of:”
    14. Browse and add Administrators

So, it should look like this once you have configured everything:

GPO.png

References: