Tuesday, May 1, 2018

Configuring Registry Auditing Permissions via GPO

After many years of having nothing in place, we recently decided to implement an auditing solution for our Windows infrastructure.  This includes the auditing of Active Directory, Group Policy, Exchange, Windows File Server, SQL and Windows Server.

Quick side note: If you don't have an auditing solution in place, get one.  Both my manager and I quickly realized we could have been saved a lot of pain over the years by having one in place.  To name a few:

  • Alerting on changes to sensitive security groups or folders..
  • End user tickets: "I accidentally moved a folder and can't find it"
  • Alerting on changes to Full Access and Send As permissions on Exchange mailboxes
  • Video recording(if your solution has it) of consultant/contractor sessions on company servers.
  • These are just a few of the big ones that hit home while watching demo's. 

Most of the auditing settings are easily configured under "Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Configuration".  However, there are also Registry permissions that must be configured, which is where I got a little stumped.

Vendor documentation instructs you to configure Auditing permissions for HKLM\Software, HKLM\System and HKEY_USERS\.Default as shown below.

Vendor Recommended Permissions (Regedit)
Now, the vendor documentation did not include information for deploying via GPO, so I set out to figure this out on my own.  The process is fairly straight forward:

  • Open your GPO and navigate to "Computer Configuration\Policies\Windows Settings\Security Settings\Registry".
  • Right-click on "Registry" or in the white space to the right and select "Add Key".
  • Select the Key you want to set Audit permissions for, in this example it's "Machine > Software", then click OK and the "Database Security" window will open.
  • In the "Database Security" window, click "Advanced", then click the "Auditing" tab.
  • On the "Auditing Entry" window, click "Select a principal", type "Everyone", then click OK.
  • Type: "Success"
  • Applies to: "This key and subkeys"
  • Click "Show advanced permissions"

But wait... "Write DAC" and "Write Owner" are not options!  

As it turns out, Microsoft uses different terminology in the Registry Editor and GP Editor, instead of "Write DAC" and "Write Owner", you will select "Change permissions" and "Take Ownership".

After setting those permissions and running a quick "gpudate /force" on my test server, I checked the key in the Registry Editor to confirm.  As you can see, by using "Change permissions" and "Take ownership", the correct permissions were applied to the server.



Friday, October 25, 2013

ESXi 5.1 - vShield Endpoint installation encountered error while installing vib

We recently decided to transition from traditional agent based anti-virus to the newer hypervisor based vShield solutions.  As part of that evaluation, you have to deploy the vShield Manager virtual appliance in vCenter and install the vShield Endpoint on each host you want to test your vShield solution with.

After logging into the VMWare site and heading to downloads, I found that the latest version of vShield Manager(listed as vShield Endpoint) was 5.0.2.  After deploying and configuring the vShield Manager virtual appliance, the next step is to install the Endpoint on a host.  However, upon attempting to install, I was presented with the following error:

"vShield Endpoint installation encountered error while installing vib"

I immediately head out to Google to try and resolve this error message.  The first article I come across is VMWare KB2032211.  While the article was not specifically for ESXi 5.1, we did use the custom Dell ESXi 5.1 ISO to install on our hosts.  And being that I really hadn't found ANY other useful information regarding the error, I tried the resolutions listed in the article.


After completing the steps in the article, the error persisted.  At this point, I reached out to VMWare support for a resolution.

Resolution: The problem was vShield Manager needs to be the same version as your vCenter installation.  As it turns out, VMWare has changed the product name of vShield Manager to vCloud Networking & Security.  Although, their website is the last place you will see it called vCloud Networking & Security.  The OVA is deployed as vShield Manager and everything in the appliance is still labeled vShield Manger.

The support engineer also told me he has had countless calls about this issue.

Wednesday, June 19, 2013

XenApp 6.5, Citrix UPM and Microsoft Office Errors

So a few months back, we were forced into rolling out a XenApp farm for a high priority application.  After implementation, our testing phase was immediately crippled by a chain of strange errors in Excel 2010.

Problem: The users first connection to the Citrix environment goes off without a hitch, no errors and applications work as expected.  However, once they disconnect and their profile is migrated to the UPM user store, all subsequent connections see a handful of errors and broken functionality.

Upon launching Excel, the following error would appear for any 3rd party Excel add-ins:

Microsoft Excel cannot access the file 'C:\Program Files (x86)\PATH TO ADDIN DLL', There are several possible reasons:
  • The file name or path does not exist.
  • The file is being used by another program.
  • The workbook you are trying to save has the same name as a currently open workbook
After clicking OK on the dialog boxes, everything looked good... until you clicked on File --> Save As or Open!  Nothing happens, it appears whatever was causing the issue had broken Windows Explorer functionality within Excel.

In addition, launching Windows Explorer would display the following errror:

C:\Users\Username\Desktop refers to a location that is unavailable...
And lastly, while displaying no errors at launch, Microsoft Word would exhibit the same broken functionality when trying to open or save documents and hang indefinitely when exiting.

After spending way to many hours on the phone with Citrix support trying to resolve the issue, we narrowed it down to our UPM folder inclusion/exclusion GPO causing the issue.

Resolution: Configure Windows Folder Redirection for the Desktop folder.

As it turns out, during discussions with our consultant regarding the implementation, we told him we did not want the Desktop redirected as we do not want users saving documents there.  Apparently, none of us knew of the dependencies Microsoft Office has on the Desktop folder.

Afterwards, I did a little searching and found this article:
http://support.citrix.com/article/CTX130329

While this was of no help during my troubleshooting(because none of my errors led to the article), there are obviously other issues that can arise when excluding the desktop folder in your UPM policy.


Friday, November 2, 2012

Saving an Excel Created CSV in UTF-8 Format

I recently had the need to create a large CSV file to import our corporate employee list into a new system.  The system required that the CSV be formatted in UTF-8 format.

I already had a table from another application with a complete list of user information, so performing a copy/paste to Excel 2010 made things super easy.  Unfortunately, even if you start with a UTF-8 formatted CSV file, once you modify and save it using Excel, you lose the UTF-8 formatting.

I did a little searching trying to find a way to save the CSV in UTF-8 format with Excel and came up empty.  Then I stumbled across an easy solution.

Once you have your file ready for import, save the file as CSV using Excel.

 

Next, open the CSV using Notepad, click File --> Save As, set "Save as type" to "All Files", then select UTF-8 in the Encoding drop-down menu next to the Save button.



That's it, save the document and you now have a UTF-8 encoded CSV which you created in Excel.