Bart's Weblog

Just a blog…

Archive for the ‘Security’ Category

Group Policy Management MMC problem: ‘Wired Network Policy Management’

Posted by bartvdw on 0101/0606/2018

After testing membership of the ‘Protected Users’ security group (introduced in Windows Server 2012 R2), I was getting following error after expanding ‘Computer Configuration\Policies\Windows Settings\Security Settings’:

mmc error protected user gpo wired config

Keep this in mind when using this group! Unfortunately I’m unable to find documentation about this effect, or have proper logs pointing to this group…

 

References (‘Protected Users’  security group)

Protected Users Security Group
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

How to Configure Protected Accounts
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

 

Advertisements

Posted in Active Directory, GPO, Group Policy, Microsoft, Security, Windows, Windows Server 2012 R2, Windows Server 2016 | Leave a Comment »

Windows Server 2016 and Windows Defender

Posted by bartvdw on 3030/0505/2018

Recently I was working on a recently deployed Windows Server 2016 and opened Task Manager for some reason. Windows Defender processes were taking away quite some CPU, and upon checking in the Settings panel noticed that all AV scanning features were enabled. The server had third-party AV installed though…

By default Windows Defender is installed on Windows Server 2016, but unlike Windows 10, it doesn’t disable the AV if a third-party AV is detected. Why this is, no idea.

In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.

 

Remove Windows Defender AV using PowerShell:

Uninstall-WindowsFeature -Name Windows-Defender,Windows-Defender-Gui -IncludeManagementTools -Restart:[$false|$True] [-Remove]

* A restart is required after the operation. If you use the -Remove switch, payload will be removed from the system as well.

 

This removes the Windows Defender AV from the system. Another approach could be to control the functionality through GPO.

 

References

Windows Defender Antivirus on Windows Server 2016
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016

 

 

Posted in AV, Microsoft, Security, Windows, Windows Defender, Windows Server 2016 | Leave a Comment »

Antivirus software exclusions

Posted by bartvdw on 1313/0808/2008

When you configure antivirus software for servers, you need to take exclusions into account. And for MS products, they are fairly good documented. If you don’t add these exclusions, you could get trouble/errors. For applications not listed here (MS or third party), always verify if you need to exclude something to make sure your antivirus software does not affect your application!

Below a summary of such exclusions and references to MS articles describing these exclusions. I will update this post in case I have additional information.

Note: In the list below, default file locations are used. If you have change the location of the files (ex. Ntds.dit), you need to use the altered path obviously!!

General exclusions Windows Server 2003, Windows 2000, Windows XP, or Windows Vista:

  • %windir%\ntfrs
  • %windir%\SoftwareDistribution\Datastore\Datastore.edb
  • %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Res1.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Res2.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
  • %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
  • For Windows 2000 & 2003 DC’s
    • %windir%\ntds\Ntds.dit
    • %windir%\ntds\Ntds.pat
    • %windir%\ntds\EDB*.log
    • %windir%\ntds\Res1.log
    • %windir%\ntds\Res2.log
    • %windir%\ntds\Temp.edb
    • %windir%\ntds\Edb.chk
    • %systemroot%\sysvol (only this folder, not all subfolders!!!)
    • %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
    • %systemroot%\sysvol\staging
    • %systemroot%\sysvol\staging areas
    • %systemroot%\sysvol\sysvol
  • Clusters:
    • %windir%\Cluster
    • Q:\ (quorum)
  • DHCP: %windir%\system32\dhcp
  • DNS: %windir%\system32\dns
  • WINS: %windir%\system32\wins

Exchange Server:

  • Cdb.exe
  • Cidaemon.exe
  • Store.exe
  • Emsmta.exe
  • Mad.exe
  • Mssearch.exe
  • Inetinfo.exe
  • W3wp.exe
  • Exchsrvr\Conndata
  • Exchsrvr\Mailroot
  • Exchsrvr\Mdbdata
  • Exchsrvr\Mtadata
  • Exchsrvr\server_name.log
  • Exchsrvr\Srsdata
  • %systemroot%\IIS Temporary Compressed Files
  • %SystemRoot%\System32\Inetsrv
  • All .edb; .stm (on Exchange 2000 Server); .log Exchange files
  • M: drive (on Exchange 2000 Server)
  • SBS:
    • C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
    • C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

WSUS: MSSQL$WSUS and WSUS content directory

References:

Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
http://support.microsoft.com/kb/822158

Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/kb/823166

Guidelines for choosing antivirus software to run on the computers that are running SQL Server
http://support.microsoft.com/kb/309422

Recommended Forefront Client Security file and folder exclusions for Microsoft products
http://support.microsoft.com/kb/943556

Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied
http://support.microsoft.com/kb/900638

Posted in Exchange, McAfee, SBS, Security, SQL, Windows | 3 Comments »