Daily Archives: 01/28/2015


Batch File for New Windows Server

I use this batch file to deploy new servers, whether it be 2003, 2008 or 2012. I run it after the initial Windows install and before joining a domain. It includes various ‘fixes’ such as disabling all SSL versions and weak ciphers for IIS, Installs the Telnet client for 2008 and above, allows joining to a single label domain, properly disables the Windows firewall, etc.

Updated to restrict more weak cipher suites and enable TLS1.0 through TLS1.2.

Modify 1.1.1.1 IPs to preference.

@echo off
echo:
echo ======================================================================
echo DO NOT RUN THIS SCRIPT ON A DOMAIN MEMBER SERVER!
echo USE WSUS-REINSTALL SCRIPTS INSTEAD TO RESET WSUS CLIENT.
echo ======================================================================
PAUSE
echo:
:: Install Telnet client
echo Installing Telnet client...
pkgmgr /iu:"TelnetClient"

echo:
:: Allow single label domain name (i.e., domain vs domain.com)
echo ----------------------------------------------------------------------
echo Setting 'Allow single label domain name'...
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v "AllowSingleLabelDnsDomain" /t reg_dword /d 00000001 /f

echo:
:: Disable subcategory logging for event IDs 5156, 5757, 4963
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

echo:
:: Set Windows Firewall to OFF for all profiles - only if behind hardware firewall
echo ----------------------------------------------------------------------
echo Disabling Windows Firewall...
net start MpsSvc
netsh advfirewall set allprofiles state off
sc config "MpsSvc" start= demand

echo:
:: Set RDP to enabled from its default setting of not allowed
echo ----------------------------------------------------------------------
echo Enabling RDP...
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t reg_dword /d 00000000 /f

echo:
:: Set NTP client - for non-domain servers only
echo ----------------------------------------------------------------------
echo Syncing with NTP server...
sc config w32time start= auto
net start w32time
tzutil /s "Central Standard Time"
RunDLL32.exe shell32.dll,Control_RunDLL timedate.cpl,,/Z Central Standard Time
w32tm /config /manualpeerlist:"1.1.1.1" /syncfromflags:manual /update
net stop w32time && net start w32time
w32tm /resync

echo:
:: Enable Telnet and SNMP
echo ----------------------------------------------------------------------
dism /online /enable-feature /featurename:TelnetClient /featurename:SNMP /featurename:Server-RSAT-SNMP

echo:
:: Reinstall WSUS client and clear potentially corrupt files
echo ----------------------------------------------------------------------
echo Setting up WSUS client...
net stop bits && net stop wuauserv
ipconfig /flushdns
del "C:\Users\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
del "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonTime" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonType" /f
net start wuauserv
net stop bits && net stop wuauserv
regsvr32 wuaueng.dll /s
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUStatusServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroupEnabled" /t reg_dword /d 00000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroup" /t reg_sz /d "WSUS Servers" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "UseWUServer" /t reg_dword /d 0000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "NoAutoUpdate" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "AUOptions" /t reg_dword /d 00000002 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallDay" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallTime" /t reg_dword /d 00000003 /f
net start bits && net start wuauserv
wuauclt.exe /detectnow

echo:
:: Set ArpRetryCount registry entry for IP conflict issue on 2008
echo ----------------------------------------------------------------------
echo Setting ArpRetryCount registry entry...
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ArpRetryCount" /t reg_dword /d 00000000 /f

echo:
echo ----------------------------------------------------------------------
echo Disabling weak SSL ciphers...

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel" /v "EventLogging" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\NULL" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/56" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 64/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\Triple DES 168" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable PCT 1.0
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv3
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Enable TLS1.0, TLS1.1, TLS1.2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "Enabled" /t reg_dword /d 00000001 /f

echo:
:: Rename default Administrator account, rename & disable Guest account
echo ----------------------------------------------------------------------
echo Renaming Administrator and Guest accounts...
wmic useraccount where name='Guest' call rename name='NewGuest'
wmic useraccount where name='NewGuest' set disabled='True'
wmic useraccount where name='Administrator' set passwordexpires='False'
wmic useraccount where name='Administrator' call rename name='NewAdmin'
net accounts /maxpwage:90
echo ======================================================================
echo If Admin account was renamed, log out before making further changes.
echo ======================================================================
set ask==none
set /p ask=Log out now? Type YES, NO or hit ENTER to exit:
if %ask%==y goto logoff
if %ask%==yes goto logoff
if %ask%==YES goto logoff
if %ask%==n goto exit
if %ask%==no goto exit
if %ask%==NO goto exit
if %ask%==none goto exit
:logoff
echo Logging off...
logoff
:exit
echo ======================================================================
echo Remember to log off if Admin account has been renamed.
echo ======================================================================
timeout 5 > nul
exit

 


Dual Boot on Windows 8.1

WinDualBoot

I remember the old days of spending hours trying to finger out how to dual boot Windows. With Windows 7 and 8 it is as simple as running a few commands from the command prompt. Follow along, out loud if you like, to create an entry in your current boot manager to allow choosing an OS to boot from, whether it be Windows, *nix or even 2 or 3 different physical HDDs.

Create a new boot loader using BCDEDIT

  1. In Windows 8, run command prompt as administrator (Right-click -> Run as Administrator)
    • Powershell will not work for this task.
  2. Open DISKPART:
    • diskpart
  3. Display a list of all volumes:
    • list volume
  4. Determine which disk is the volume containing your Windows 7 OS and make a note of its Ltr (drive letter).
  5. Type EXIT to close DISKPART.
  6. Make a backup of your current boot manager:
    • bcdedit /export d:\bootmgrbak
      • To restore your original config, run the following:
        • bcdedit /import d:\bootmgrbak
  7. Run the below command to list your current boot configuration:
    • bcdedit
      • The first section is your bootmgr
      • The second is the 8.1 boot loader. We’ll make a copy of this section and modify it.
  8. Run the below to copy the {current} boot loader and create a second entry. Type or copy the below exactly as it appears… no need to modify any part of it unless you want a name other than ‘Windows 7’.
    • bcdedit /copy {current} /d “Windows 7”
      • /d sets the name for the copied config to what is in quotes and sets it as a boot menu choice.
  9. Now let’s modify the config to point to our other volume/drive:
    • bcdedit
      • Note that you now have a 3rd entry with its description set to ‘Windows 7’.
      • Copy the ‘identifier’ string including the brackets {} and replace the bracket section in each command below and replace the partition value with your volume letter:
        • bcdedit /set {xxx} device partition=e:
        • bcdedit /set {xxx} osdevice partition=e:
        • bcdedit /set {xxx} systemroot \Windows
          • This should be the same whether 8 or 7 and you shouldn’t need to change it, but I’ve included it just in case.
        • bcdedit /set {xxx} path \windows\system32\boot\winload.exe
          • This should be the same whether 8 or 7 and you shouldn’t need to change it, but I’ve included it just in case.

That’s it. Reboot and you should see the fancy new Windows 8 bootloader screen with a choice between Windows 8.1 or Windows 7.

Avoid rebooting twice when you load the Windows 7 boot loader

If you choose Windows 7, your machine will reboot again to load the 7 boot loader. If you want to be able to make a choice without rebooting, run the following to change to the legacy boot screen… that old, familiar black and white, text-only screen. Once this is set to legacy, either choice will throw you straight into the selected OS without having to wait out another reboot and POST.

  • bcdedit /set “{current}” bootmenupolicy legacy
    • To reverse this, run the above, but replace ‘legacy’ with ‘standard’

Edit the timeout for the menu selection screen

  • From within Windows
    • Run msconfig from the command prompt or open Administrative Tools -> System Configuration.
    • Click on the Boot tab and set a timeout in seconds.
  • From an administrative command prompt:
    • bcdedit /timeout X
      • Substitue a time in seconds for X

Install Windows 8.1 From USB

Create a bootable Windows 8.1 USB installation disk via Diskpart. Simply simple.

NOTE: See end of post for a screenshot that sums up these steps. You can use it instead, just make sure to choose the correct disk so you don’t lose any data!

Prerequisites

  • Windows 8.1 ISO file or DVD
  • 4GB or larger USB stick
  • Whiskey (optional)

Get started

  1. Plug in your USB stick.
  2. In Windows 7 open a command line.
  3. Run diskpart:
    • diskpart
  4. Determine which disk is your USB drive:
    • list disk
      • In the next step, make sure to choose your USB stick and not another volume that you need such as your boot volume.
  5. Select the USB drive:
    • select disk 1
      • Where ‘1’ is the number of your USB drive.
  6. Wipe the drive:
    • clean
  7. Create a partition:
    • create partition primary
  8. Select the partition:
    • select partition 1
  9. Make the new partition active:
    • active
  10. Format the partition:
    • format fs=ntfs quick
  11. Assign a drive letter:
    • assign
  12. Once you see the drive in Explorer you can copy the contents of the Windows ISO/DVD to your USB drive. You now have a bootable 8.1 USB stick. Installing from a class 10 USB stick to my Samsung 840 Pro SSD took about 7 minutes up to the time I was requested to name my installation. 🙂

 

diskpart