Wednesday, 31 July 2013

NTML Authentication vs Kerberos Authentication

Hi there, In this article, I am going to explain the difference between two authentication methods, NTML Authentication and Kerberos Authentication with clear steps.


NTLM Authentication

     1. NTLM (Windows Challenge/Response) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

     2. Credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password.

    3. It uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire.

    4. Interactive NTLM authentication over a network typically involves two systems: a client system, where the user is requesting authentication, and a domain controller, where information related to the user's password is kept.

    5. Non Interactive authentication, which may be required to permit an already logged-on user to access a resource such as a server application, typically involves three systems: a client, a server, and a domain controller that does the authentication calculations on behalf of the server.


Kerberos Authentication

     1. Kerberos is a computer network authentication protocol which works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

     2. It works based on client–server model and it provides mutual authenticationboth the user and the server verify each other's identity.

     3. When a server gets Kerberos authentication information from a client, the server has enough information to authenticate the client, thereby Kerberos doesn't need pass-through authentication and therefore accelerates the authentication process.

    4. It supports for authentication delegation. Windows services impersonate a client when accessing resources on the client’s behalf. In many cases, a service can complete its work for the client by accessing resources on the local computer.

   5. Starting with Win2K, Microsoft implements Kerberos as the default authentication protocol for the Windows OS.

Thanks,
Morgan
Software Developer

Tuesday, 30 July 2013

This configuration section cannot be used at this path error in IIS 7.5

You would get this error when you configure Authentication mode by web config file or programmatically.By default in IIS 7.5 Microsoft has locked down the parent security requiring that you explicitly allow certain permissions to be overridden. I received the following alert in IIS 7.5 when my web.config file had Anonymous Authentication turned disabled and Windows Authentication turned enabled.


Configuration in my web config file

<system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="false" />
        <windowsAuthentication enabled="true" />
      </authentication>
    </security>
</system.webServer>

After hosting my application in IIS, I am getting the below error message.


To resolve this issue by applicationHost.config you need to follow the below steps

1.Open the applicationHost.config  which is placed in the directory C:\Windows\system32\inetsrv\config\.
2.Look through the xml and change the overrideModeDefault tags from Deny to Allow for the sections overrideModeDefault and windowsAuthentication. 

<sectionGroup name=”authentication”>
   <section name=”anonymousAuthentication” overrideModeDefault=”Allow” />
   <section name=”basicAuthentication” overrideModeDefault=”Deny” />
   <section name=”clientCertificateMappingAuthentication” overrideModeDefault=”Deny” />
  <section name=”digestAuthentication” overrideModeDefault=”Deny” />
  <section name=”iisClientCertificateMappingAuthentication” overrideModeDefault=”Deny” />
  <section name=”windowsAuthentication” overrideModeDefault=”Allow” />
</sectionGroup>



Thanks,
Morgan
Software Developer

Change Password vs Reset Password in Active Directory

   Both are used to set new password for an user in Active Directory. The work flow and required permission to execute two methods would be different. Here I have explained what permission will require for what action and what will happen while changing password in both methods.

Reset Password in Active Directory

  1. Reset Password allows an user to reset (set new password) without providing old password.

  2. Reset password permission requires to the person who resets the password.With AD's default             permissions, only Administrators and Account Operators can reset passwords.    

  3. When you reset a password you are performing an administrative act, you force the password to be changed without knowing the old password. This can bypass certain rule of the password policy. For example it will bypass the password history but it only bypass the complex password policy, it depends on the password complexity.

  4. When resetting a password, the account will lose access to any EFS protected files that were configured under the user account.

Change Password in Active Directory

  1. Change Password requires user's old password to set new password.

  2. The Change password permission requires that the person who changes the password. With AD's                 default permissions, you can change your own password.  

  3. When you change a password, you supply the old password along with the new password, if the old password is correct and the new password follows the password policy then the password will be changed.

  4. When changing password, the account will not lose any access to any EFS protected files that were configured under the user account.

Thanks,
Morgan
Software Developer

How to clear Cached Credentials in windows

     In Networking world, almost every Windows Administrator must have got stumped with this question.
In most of the cases, Administrator tried to give different credential for testing or other purpose, or an existing credential might not have required privilege to access resource and he/she may wanted to change the credential.

Steps to Clear Cached Network Credentials

To delete locally cached credentials you can follow the below steps.

1. Open Run Window by clicking Start -> Run or click Windows key’+‘R’.

2. In the text box, type the command rundll32.exe keymgr.dll, KRShowKeyMgr and click OK.
    Note:You can also type and run this command through Command Prompt.

    You could see the Stored Usernames and Passwords window after run the command.



3. To remove a saved credential you can select one of the entries and select Remove. A confirmation screen     will appear. Click on OK and the account will be removed

4. You can add additional saved passwords as well by clicking on the Add button and entering the                    appropriate information  

Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.


Thanks,
Morgan
Software Developer

Monday, 29 July 2013

What is the Windows desktop.ini file

    The Desktop.ini file is a hidden file used to customize and adjust settings for the Windows folders that contain the file. Folders are normally displayed with the standard folder icon. A common use of the Desktop.ini file is to assign a custom icon or thumbnail image to a folder. You can also use Desktop.ini to create an infotip that displays information about the folder and controls some aspects of the folder's behavior, such as specifying localized names for the folder or items in the folder.

Severity Level

   This file can be safely deleted from any directory.  However, because this file may have settings associated with the folder that it contains and deleting this file will change these settings back to default. For example, if the folder containing this file has a different icon and you delete this file the default folder icon will be re-enabled.

How to disable or hide

      You can disable or hide this file by Enabling the Hide protected operating system files setting in Folder Options hides the Desktop.ini files, as well. To access the Folder Options, open Windows Explorer, click Organize, click Folder and Search Options and select the View tab.
     

Thanks,
Morgan
Software Developer

How to map a Network Drive to a Shared Folder/Network Folder

Need of Mapping Network Drive and Shared Folder/Network Folder:

     When your computer is part of a Network, if you want to use files that are stored in shared folders on a networked computer, you need to access the Shared Folder by typing the Network Path (i.e. \\server\sharename) of a folder which you want to access.

Since it would be used regularly in day to day life, it will be more difficult or boring to type Network Path on every time to access Shared Folder/Network Folder. Instead of doing this we can map a drive letter to that Network Folder to make it easier to access. 

Location of Mapped Network Drive and Shared Folder/Network Folder:

    When you map a drive, Windows shows the Shared Folder as a Drive in the Network Location section of Windows Explorer. It will also appear in the Open dialog boxes of most programs (in the Computer section of the Navigation pane).

Steps to map Network Drive with Shared folder/Network folder:

  1. Open the My Computer window by clicking Start button or click ‘Windows key’+‘E
  2. Click the Map Network Drive button on the toolbar to open the Map Network Drive dialog box

how to map network drive with shared folder


    3. Select an unused drive letter for the shared folder in the Drivers list.

map share folder with drive


    4.In the Folder text box, enter the network share path name or you can click the Browse button and locate the shared network folder.You can type the path like the \\DevServer\ShareTools.
    5. Select the Reconnect at Logon check box if you want Windows to map this same drive every time you start the computer.
    6.Also, if you're not an administrator, select the Connect Using Different Credentials check box. And click the Finish button,  it will ask to enter username and password in the Windows Security dialog box and click OK to Finish.

    7. Then you could see the Mapped Drive as shown in below.
 
how to map share folder with network drive


Note: This article is applies to Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

Thanks,
Morgan
Software Developer

    Saturday, 27 July 2013

    Create new Active Directory user in c#


    Description:

    You can create an user in Active Directory by different way of coding. Here I would like write two methods which we can use it for user creation.

    Summary:

    1. Create new Active Directory Users in C# using PrincipalContext
    2. Create new Active Directory Users in C# using DirectoryEntry

    Create new Active Directory Users in C# using PrincipalContext

    To use this class, you need to add reference System.DirectoryServices.AccountManagement.dll

    PrincipalContext ouContex = new PrincipalContext(ContextType.Domain, "TestDomain.local","OU=TestOU,DC=TestDomain,DC=local");
    
      for (int i = 0; i < 3; i++)
      {
        try
         {
           UserPrincipal up = new UserPrincipal(ouContex);
           up.SamAccountName = "TestUser" + i;
           up.SetPassword("password");
           up.Enabled = true;
           up.ExpirePasswordNow();
           up.Save();
         }
       catch (Exception ex)
       {
       }
     }
    
    

    Create new Active Directory Users in C# using DirectoryEntry

    To use this class, you need to add reference System.DirectoryServices.dll

    DirectoryEntry ouEntry = new DirectoryEntry("LDAP://OU=TestOU,DC=TestDomain,DC=local");
    
      for (int i = 3; i < 6; i++)
       {
         try
          {
            DirectoryEntry childEntry = ouEntry.Children.Add("CN=TestUser" + i, "user");
            childEntry.CommitChanges();
            ouEntry.CommitChanges();
            childEntry.Invoke("SetPassword", new object[] { "password" });
            childEntry.CommitChanges();
          }
         catch (Exception ex)
         {
         }
      }
    

    Thanks,
    Morgan
    Software Developer

    Thursday, 25 July 2013

    LastLogon vs LastLogonTimeStamp

    Description:

    In this article, I am going to explain the difference between LastLogon vs LastLogonTimeStamp in Active Directory and how to find the True Last Logon value of an user from these two attributes.

    Summary:

    • Both are Active Directory Schema attributes which are used to hold an user's Last Logon Time in two different ways. 
    • LastLogon is the Non-Replicable attribute. It means the value of this attribute is specific to a Domain Controller
    • LastLogonTimeStamp is the Replicable attribute but this attribute is not updated every time a user successfully logs in. This attribute is updated only when its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute

    Before going to explain the clear difference, here I would like to recall the terms Replication and Non-Replicable attributes.

    Replication

       In Active Directory,  objects are distributed among all domain controllers in a forest, and all domain controllers can be updated directly. Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.

    Non-Replicable attributes

        Non replicable attributes are attributes that contains locally unique content on each domain controller. The information stored within such attribute is not replicated between domain controllers.

    LastLogon

        LastLogon is nothing but the latest time of a user logged on into AD based system, which is non replicable attribute. It means the value of this attribute is specific to Domain Controller. So we can't say the user's True LastLogon time by simply querying only one DC. To get an accurate value for the user's last logon in the domain, the LastLogon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the True LastLogon time for that user.

      Example

          Consider the user User1 and domain controllers DC1 and DC2.
    • User1 logs in to DC1 on the time T1
    • User1 logs in to DC2 on the time T2            
      Now to find user's True Last Logon, we need to query two DCs and find the values T1 and T2. Then we can get the latest value by comparing T1 and T2 as True LastLogon time.

    LastLogonTimeStamp

         LastLogonTimeStamp is the replicable attribute but this attribute is not updated every time a user successfully logs in. This attribute is updated only when its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute.

    Example

          Consider the user User1 and domain controller DC1.

         i.e. msDS-LogonTimeSyncInterval = 14 days
         i.e. Current value of LastLogonTimeStamp = T1 (current value)

    • Take User1 logs in to DC1 on the time T2 (current time)
       LastLogonTimeStamp value will be updated only if the following case get satisfied.

        If  (T2-14 days) >T1  then LastLogonTimeStamp is updated by the value T2 or else it remain as T1.

    Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2 and Windows Server 2012.

    Related Articles:

    How to: Tack AD Account Lockout Root Cause
    AD Account Logon Audit Events
    How to enable Active Directory Change events
    Logon/Logoff Events in Active Directory
    Active Directory Change Event IDs
    Account Lockout Policy in Active Directory

    Thanks,
    Morgan
    Software Developer

    Top 5 File Compression Softwares 2013

    The Zip software takes in large files and folders that can consume a lot of your hard disk space. They can condense the files into smaller and easier to manage archives. This even gives you the ability to transfer these archives to CDs, DVDs and flash drives. This is for easy backups of your favourite snaps and work documents. You can compress PDF files that may be too large to transfer. This will save the bandwidth and storage space.

    1. 7-Zip 
    2.BitZipper


    3.WinZip

    4.WinRAR

    5.PeaZip

    Thanks,
    Morgan
    Software Developer

    HTTP Error 500.19 - Internal Server Error

    In this article, I am going to explain about HTTP Error 500.19 - Internal Server Config Error -This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
    Detailed Error Information:
    Moduale              IIS Web Core 
    Notification         BeginRequest
    Handler              Not yet determined
    Error Code           0x80070021
    Config Error         This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
    
    Config Source:
         <validation validateIntegratedModeConfiguration="false" />
          <handlers accessPolicy="Read, Script">
           <remove name="ChartImageHandler" />
    

    Steps to Resolve or Fix HTTP Error 500.19 - Internal Server Error

    ASP.Net applications come pre-wired with a handlers section in the web.config. By default, this is set to readonly in feature delegation of IIS Server. Take a look in IIS Manager

    1. Go to IIS Manager and click Server Name. In right side pane, select No Grouping in Group By option

    HTTP Error 500.19 - Internal Server Error


    2. Then double-click the setting Feature Delegation.

    HTTP Error 500.19 - Internal Server Error


    3. Then search and select the setting Handler Mappings which is supposed to set as readonly.

    HTTP Error 500.19 - Internal Server Error


    4. Right-click and change the value to read/write and now  HTTP Error 500.19 - Internal Server Error will be resolved. You can Restart the IIS Server and access your web page,

    This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".



    Thanks,
    Morgan
    Software Developer

    How to add Startup programs in Windows7/Windows 8

    Description:

    In this article, I am going to explain about how to add startup programs or applications in Windows 8/Windows 7 machine.

    Steps to Add Startup programs in Windows7/Windows 8

    Try the below mentioned steps to add the startup programs in Windows 8

    1.Open the Run command by clicking ‘Windows key’+‘R

    2.Type in the command as %appdata% -> Press Enter. This should take you to “C:\Users\<User-Name>\AppData\Roaming”.

    3.Go to \Microsoft\Windows\Start Menu\Programs\Startup . The full path should look  like: “C:\Users\<User-Name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”.

    Note: You can easily skip the steps 2 and 3 by simply typing the command shell:Startup  in Run command instead of %appdata%


    Add Startup programs in Windows 7/Windows 8

    4. You can see the following window after you run the above command.

    How to Add Startup programs in Windows 7/Windows 8


    5. Now you can add any shortcut which you wanted to add in for the startup applications.

    You can do it by simply copying the existing shortcut and place it here.
    -or-
    Right-click the mouse -> New ->Create Shortcut  and you can browse the wanted program to add shortcut

    How to Add Startup programs in Windows 7/Windows 8



    Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

    Thanks,
    Morgan
    Software Developer

    Wednesday, 24 July 2013

    Top 10 Antivirus Software for Windows

    One nasty virus could expose your financial information or stop your computer from working at all. What you need is the best antivirus software possible on your computer.So when picking an antivirus software you don’t have to insist too much on whether it will protect you from that malicious email, but rather if it keeps guard while you surf

    1. AVG Antivirus   
            AVG is no doubt one of the best software suites out there, thanks to its smooth background performance and great interface, as well as the many options in its free version. It also includes the free choice of protecting Android devices and can warn you from dangerous links on Facebook. It comes highly recommended from IT experts and is at the moment quite possibly the best antivirus for windows out there.

    AVAST Software's avast! Free Antivirus 8 most certainly deserves to be on any list of the best free antivirus programs. avast! Free Antivirus has fully functioning antivirus and anti spyware engines protecting your PC from threats from the Internet, your files, emails, and even instant messages.

    avast! Free Antivirus 8 supports Windows 8, Windows 7, Windows Vista, and Windows XP.

    AVIRA blew onto the market with style and simplicity. The new version boasts a quick install and smooth performance and a great price: it’s free, although some updates do come at a price. The company also seems to have focused particularly on in-browser performance, and rightfully so, as most infections come through there. It also is good at securing your social networking, tracker blocking, and the always tricky web site verification.


    Another classic among the greats. The word Norton has come into general household use when it comes to good virus protection. The only downside is that they know it, and so it is also among the most expensive antivirus programs out there.

    5. McAfee

    McAfee is one of the biggest names in antivirus software. McAfee AntiVirus Plus protects against viruses, worms, spyware, Trojans and rootkits. It also detects and avoids attacks from hackers, phishing scams, dialers, adware and malicious scripts. It is one of the only antivirus software applications to include a two-way firewall. McAfee AntiVirus Plus is equipped to protect your computer from threats regardless of where they come from, including network threats, online scams, malicious websites, risky downloads and files shared through email or IM.



    This is one of most favourite Antivirus Programs.It provides many new features in addition to the common features of an antivirus. Bitdefender Internet Security 2013 has safepay,anti-theft,parental control,usb immunizer,anti-phishing,safebox and many more.It works without slowing down your PC and is pretty fast and just because of these whole new features it has got a place in top 10 antivirus list.





    Kaspersky  Antivirus is a product of Kaspersky labs.It is one of the best,trustworthy and efficient antivirus programs available worldwide. Kaspersky was recently introduced by with a new technology called system watcher,which monitors all your processes and flags them according to their behaviors. It performed well in Virus Bulletin Tests and blocked 100% Viruses.It has clean and user-friendly interface and its new desktop widget adds more value to it.


    Comodo Antivirus from Comodo Security Solutions is another excellent program, easily one of the best free antivirus options out there. Comodo Antivirus 6 protects you from several threat sources, just as most of the other free antivirus programs on this list do.


    Immunet FREE Antivirus  is a unique, cloud-based antivirus program, much like Panda Cloud Antivirus and Kingsoft Antivirus. Immunet FREE Antivirus  protects your computer from bots, worms, viruses, Trojans, keyloggers, and spyware.


    The New Panda Antivirus 2013 Offers Greater Protection,clean and user-friendly interface and full web protection.Just Install it and forget about malwares,adwares,spywares.Just leave all on Panda Antivirus.The Panda Antivirus Pro 2013 is Faster,Easier To use,More secure and complete then ever.It is easy to install,less updates and works without slowing down your computer making it one of the best antivirus programs.


    Trend Micro is a global leader in network antivirus and internet content security software and services.It has a very effective rate of scanning,locating,blocking and removing adwares,malwares,spywares and keyloggers.It’s Cloud Based Security Feature provides real time security even when you are online and is designed just to increase and improve detection and resource utilization.It is some of the few which made the top 10 antivirus list.

    Thanks,
    Morgan
    Software Developer


    Monday, 22 July 2013

    How to change dafault Open with Program

    This article is explaining the steps to change or revert the default open with program or default start with program.

    A default program is the program that windows uses when you open a particular type of file, such as a text file, an image, or a webpage. For example, if you have more than one web browser installed on your computer, you can choose one of them to be the default browser.

    Consider the file type XML which is supposed to use XML Editor as default program. Unfortunately if you have changed it to Notepad as default program, follow the below steps to revert default open with program to XML Editor

    Steps to change default open with program

    1. Open Default Programs by clicking the Start button, or Go to Control Panel ->Default Programs->

    2. Click the Associate a file type or protocol with a program., or simply type the url Control Panel\Programs\Default Programs\Set Associations in control panel window.
         
    Steps to change default strat with program


                                                          [Click on image to get enlarge view]

    3. Scroll down and  select the type XML which we are going to revert the default open with program.

    4. Click Change program.

    5. Click the program XML Editor which is supposed to use as default program, If you don't see XML Editorclick the arrow next to Other Programs and select XML Editor.

    Steps to change default start with program

                                                          [Click on image to get enlarge view]




    Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
    Thanks,
    Morgan
    Software Developer


    Friday, 19 July 2013

    How to create Fine Grained Password Policy

    In this article I am going to explain about how to create Fine Grained Password Policy or Custom Password Policy through ADSI Edit management console and how to link Fine Grained Password Policy to specific User or Group

    Summary:

    1. Steps to create Fine Grained Password Policy
    2. Link the Fine Grained Password Policy to specific User or Group

    Steps to create Fine Grained Password Policy

       Follow the below steps to create fine grained password policy
    1. Launch ADSI Edit management console on your DC by the command ADSIEdit.msc through command line or Run window.   
    2. Select the View toolbar menu option, then click on the Connect to option.
    3. In the Connection Settings dialog box click the OK button.
    4. Within ADSIEdit, expand the view of your domain down to the CN=System, so you can see the contents available under this node.
    5. Right-click on the CN=Password Settings Container.
    6. Select the option to Create | Object.
    Refer the below screenshot:

    create fine grained password policy


    Fill the following values in subsequent windows and create new fine grained password policy

    CN :  DevPasswordPolicy

    msDS-PasswordSettingsPrecedence10

    msDS-PasswordReversibleEncryptionEnabledFalse

    msDS-PasswordHistoryLength24

    msDS-PasswordComplexityEnabledTrue

    msDS-MinimumPasswordLength15

    msDS-MinimumPasswordAge-864000000000 (Minimum password age -one day)

    msDS-MaximumPasswordAge-36288000000000 (Maximum password age -42 days)

    msDS-LockoutThreshold : 30

    msDS-LockoutObservationWindow :  -18000000000 (Elapsed time to reset password lockout counter to maximum - 30 minutes)

    msDS-LockoutDuration-18000000000 (If the number of bad passwords is met in observation window time, this defines how long the account should remain locked out - 30 minutes)

    Link the Fine Grained Password Policy to specific User or Group


    In order to link the fine grained password policy to the correct user or group, you'll need to configure an object attribute msDS-PSOAppliesTo. In order to see all the attributes, ensure the Show Attributes is checked  properly in ADUC or ADSIEdit like below image.

    How to create Custom Password Policy


    In the attribute list for your FGPP/PSO, scroll down to the msDS-PSOAppliesTo entry and double-click this attribute to see the Multi-valued Distinguished Name With Security Principal Editor dialog box. then add in your object to the editor. Here, I have added the group DevGroup.

    How to create Fine Grained Password Policy


    To verify that the user in the DevGroup has the correct password policy, go to the user's [DevUser] properties window in ADUC, then looking at the msDS-ResultantPSO attribute.

    How to create Fine Grained Password Policy


    Now, you have successfully created fined grained password policy and linked it to an user.

    Thanks,
    Morgan
    Software Developer

    Thursday, 18 July 2013

    How password policy works in Active Directory

    In this article, I am going to explain about how password policy is working in Active Directory based environment. Before proceed I have listed important points about Password Policy here.
    1. By default, the Default Domain Policy defines the password policies for every user in Active Directory and every user located in the local Security Account Manager (SAM) on every server and desktop that joins Active Directory.
    2. There can be only one Password Policy for domain users in a Windows 2000 and Windows Server 2003 Active Directory domain.
    3. It's not possible to configure the Password Policy for an Organizational Unit (OU) of users to be different than that of other users in the domain or in a different OU.
    4. The Password Policy settings can't be extended to include additional settings without using a third-party tool or developing a custom password policy solution.
    5. It's not possible to configure a password policy for the root domain and have it "funnel" down to the other domains in the Active Directory tree.

    Possible Settings in the password Policy


         When you edit the GPO Default Domain Policy through Group Policy Management Console (GPMC), you'll find the Password Policy settings under the Account Policies category,

    Go to the node Account Policies: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies.

    The default settings of Default Domain Policy are shown in figure.

    default password policy settings


    Limitations of the Password Policy for Domain Users


    To ensure you understand what I mean by domain users, let's scope out where these users reside. Domain users are those users that are created and stored in the Active Directory database. This means all users stored on your domain controllers (DCs) fall under this definition. One easy way to see whom this entails would be to open up the Active Directory Users and Computers (ADUC) and do a search on all users for that domain. Every user that shows up on that search falls into this scope.

    The only way to control the password policy for domain users is to configure the aforementioned Password Policy in a GPO that linked to the domain. That is the only way by default! Yes, it's true the GPO that contains the default password policy settings is the Default Domain Policy, but this is just the default. You can easily create a new GPO, configure the Password Policy settings as per your wish and ensure this GPO has the highest precedence in the GPMC. The result will be that this new GPO will control the Password Policy settings for all domain users.

    Default Password Polices


    When you install a new Active Directory domain within Windows Server 2008 or Windows Server 2008 R2, or upgrade a Windows 2000 or Windows Server 2003 domain to have Windows Server 2008 or Windows Server 2008 R2 DCs, you can configure the domain to be at the Windows Server 2008 Domain Functional Level. At this functional level, you have more capabilities for configurations within the domain, but that doesn't mean that the default behavior changes. This is the case with the Account Policies for domain users.


    When you have a basic Active Directory domain that's running at the Windows Server 2008 Domain Functional Level, the Password Policy for all domain users behave the exact same way they always have. A Windows Server 2008 or Windows Server 2008 R2 Active Directory domain, without FGPPs implemented


    Fine Grained Password Policies (FGPPs)


    The previous section was clear in stating that the default behavior of the Account Policies in a Windows Server 2008 and Windows Server 2008 R2 domain is exactly the same as it is in any other Active Directory domain before it. The difference comes when the Active Directory domain contains only Windows Server 2008 or Windows Server 2008 R2 DCs, and is moved to Windows Server 2008 Domain Functionality Level. When this occurs, it opens the door for FGPPs. Again, just to reiterate, without FGPPs configured, any Windows domain (including Windows Server 2008 R2 domains) acts the same as it always has.

    The reason you'd want to configure FGPPs is to allow multiple password policies in the same Active Directory domain. Yes, that's correct. The same Active Directory domain can have multiple password policies. The result could be the following:
    • IT employees have a minimum character limit of 20
    • HR and finance employees have a minimum character limit of 15
    • Standard employees have a minimum character limit of 10
    In order to configure FGPPs, you won't be using Group Policy -- FGPPs don't use Group Policy. Instead, the implementation of FGPPs is done by modifying the Active Directory database. The database is altered by adding one or more additional Active Directory objects, referred to as Password Settings Objects (PSOs). This might sound odd, and I must agree it is. If you decide to implement FGPPs, you'll have a mixture of Account Policy settings, via GPOs and FGPPs, in your environment.

    How to create Fine Grained Password Policy ?


       Follow the below steps to create fine grained password policy
    1. Launch ADSI Edit management console on your DC by the command ADSIEdit.msc through command line or Run window.   
    2. Select the View toolbar menu option, then click on the Connect to option.
    3. In the Connection Settings dialog box click the OK button.
    4. Within ADSIEdit, expand the view of your domain down to the CN=System, so you can see the contents available under this node.
    5. Right-click on the CN=Password Settings Container.
    6. Select the option to Create | Object.
    Refer the below screenshot:

    create fine grained password policy



    Fill the following values in subsequent windows and create new fine grained password policy

    CN :  DevPasswordPolicy

    msDS-PasswordSettingsPrecedence10

    msDS-PasswordReversibleEncryptionEnabledFalse

    msDS-PasswordHistoryLength24

    msDS-PasswordComplexityEnabledTrue

    msDS-MinimumPasswordLength15

    msDS-MinimumPasswordAge-864000000000 (Minimum password age -one day)

    msDS-MaximumPasswordAge-36288000000000 (Maximum password age -42 days)

    msDS-LockoutThreshold : 30

    msDS-LockoutObservationWindow :  -18000000000 (Elapsed time to reset password lockout counter to maximum - 30 minutes)

    msDS-LockoutDuration-18000000000 (If the number of bad passwords is met in observation window time, this defines how long the account should remain locked out - 30 minutes)


    Thanks,
    Morgan,
    Software Developer

    What is DNS?


       DNS is the short form of Domain Name System or Domain Name Service, a DNS is an Internet or other network server that helps to point domain names or the hostname to their associated IP address. If a domain name is not found within the local database, the server may query other domain servers to obtain the address of a domain name.
    For example, when a user is accessing the MorganTechSpace domain a user would enter the easy to remember domain: morgantechspace.com. When entered that domain name is looked up on a Domain Name System to translate that name into an IP address that can be better understood by computer, e.g. 57.98.168.235. Using that IP address the computers can then find the computer containing the web page of MorganTechSpace domain and forward that information to your computer.
    DNS Record, also called a Resource Record, is the basic element in the DNS. Each record contains several pieces of information, including a record type, expiration time limit, a class, and type-specific data. There are a large number of record types, each describing the format of the data and an idea of the intended use of the record. When being sent over an IP network, all DNS records conform to a format specified in RFC 1035 (contains a detailed description of the domain system and protocol).
    Without a server to resolve a domain name or the proper rights you'd have to know the IP address of each of the web pages or computers you wanted to access.

    How to Password Protect Files and Folders With Encryption


    NoteBefore protecting any document you may wish to create a backup of the non-password protected folder and files in case you forget the password in the future.

    The most of Windows operating systems do not come with a method of password protecting your sensitive files and folders. If you're using Microsoft Windows 3.x, Windows 95, Windows 98, you will need to download or purchase a third-party program to password protect your files and folders in Windows; skip down to the other security solutions section if you're using one of these operating systems.

    Microsoft Windows XP professional users
    Microsoft Windows XP home users
    Other security solutions for protecting your files and folders in Windows
    Things to remember when encrypting or password protecting files and folders


    Microsoft Windows XP professional users
    The below steps for encrypting the files on Windows XP professional applies to users who are using a computer that has different accounts. If you're using a single account for all users who use the computer you will need to see the below other security solutions section.
    1. Select the folder you wish to encrypt.
    2. Right-click the folder and click Properties.
    3. Click the Advanced button.
    4. Check "Encrypt contents to secure data" option.
    5. Click Apply and then Ok.
    Encrypt contents to secure data is grayed out
    This will be grayed out if you're using the home edition of Microsoft Windows XP. See the below steps for securing the contents of your folders in Windows XP home.
    Show "Encrypt" on the context menu
    The newest version of TweakUI also enables you to show the Encrypt option in the context menu. To do this, follow the below steps.
    1. Open TweakUI.
    2. In the TweakUI window, select Explorer
    3. In the right side of the window under Settings, locate Show 'Encrypt' on context menu and check the box. This option should be below Prefix 'shortcut to' on new shortcuts and aboveShow 'View workgroup computers' in NetPlaces.
    • I'm missing Show "Encrypt" on the context menu in TweakUI.
    Microsoft Windows XP home users
    1. Select the folder you wish to encrypt.
    2. Right-click the folder and click Properties.
    3. Click the Sharing tab.
    4. Check the box Make this folder private
    5. Click Apply and then Ok.
    Make this folder private is grayed out
    In order for this option to work in Microsoft Windows XP home you must meet the below requirements.
    1. The hard drive must be formatted in NTFS and not FAT32 File System.
    2. The folder you're attempting to encrypt must be in your own personal folder. For example, if your name is bob, you must be encrypting a folder that is or that is contained within the below folder:
      C:\Documents and Settings\Morgan\
    3. You cannot encrypt any folders outside of this folder. If you wish to encrypt outside this folder see the below other security solutions.
    Other security solutions for protecting your files and folders in Windows

    File and folders not frequently used
    If you need to password protect files or folders that you do not frequently use, one of the simplest ways is to compress the folder and files with a compression utility and password protect the compressed file. However, each time you wish to work or modify the files you will need to uncompress the files using the password.

    Windows ME and Windows XP users - Microsoft Windows ME and Windows XP come with their own compression utility. This utility can also be used to compress and password protect files.
    Note: When a file is compressed, users can still view a listing of the files in the compressed file. If you wish for both your file names and the contents to be hidden, move all the files into a single folder and password protect that folder. 

    File and folders frequently used or accessed
    If you need to password protect or encrypt data you frequently use, you will need to install a third-party program that will enable you to protect your files and folders. Below are some free and commercial solutions.
    • AxCrypt - An excellent free encryption utility that enables users to encrypt all files within a folder and not allow those files to be viewed unless a passphrase (password) is known.                                                       
    • WinCry - A freeware utility that enables your files to be encrypted, secure deletion, as well as other helpful methods of protecting your files.
    • Folder Guard - A commercial version of a password protection software that enables you to password protect files, folders, and other Windows resources.
    Things to remember when encrypting or password protecting files and folders
    1. There is no such thing as a 100% protected file. There are numerous tools, utilities, and instructions for how to break a lot of the encryption and passwords on files. However, the protection methods listed above will protect your files from the majority of users who may encounter them. If you're working with really sensitive data we suggest a commercial product for protecting your files and data.
    2. Even though a file or folder may be password protected it still can be deleted (unless the program supports the ability to protect files from being deleted). Always remember to backup all your files, even those protected by passwords.
    3. If you forget the password, unless you're willing to spend the time attempting to break it or pay someone else to break the password, all your file data will be lost. Unless you've made a backup of the non-password protected data.


    Wednesday, 3 July 2013

    What is DfsrPrivate folder

      DfsrPrivate folder is a staging folder to act as caches for new and changed files to be replicated from sending members to receiving members.The sending member begins staging a file when it receives a request from the receiving member. The process involves reading the file from the replicated folder and building a compressed representation of the file in the staging folder. This is the staged file. After being constructed, the staged file is sent to the receiving member; if remote differential compression  is used, only a fraction of the staging file might be replicated. The receiving member downloads the data and builds the file in its staging folder. After the file has completed downloading on the receiving member, DFS Replication decompresses the file and installs it into the replicated folder.




    Monday, 1 July 2013

    What is :Zone.Identifier


    Zone.Identifier is a stream generated by Windows Internet Explorer and Outlook for storage of URL security zones.
    How to disable :Zone.Identifier stream 
         You can disable it by applying following setting through gpmc.msc
          1).Run the gpmc.msc
          2).Click the Default Domain Policy and click Edit
          3).Go to the Setting: User Configuration ->Administrative Templates ->Windows Components ->Attachment Manager 
         4) Now, you can enable the setting Do not preserver zone information in file attachments
    Note: refer below screenshot