Securing Windows RDP with two-factor Authentication.

No Comments

Opening RDP access for you home computer can be quite convenient. However, this means you have to carefully secure access to your machine. One of the things you can do is to enable two-factor authentication.
Duosecurity provides such an option for free (has paid versions for business).

Steps to enable two-factor authentication with Duo:

  • Create a free account on duosecurity.com
  • Log int to your account. Go to Application – create a new application – Microsoft RDP.
  • Install Duo RDP Installer Package (from duosecurity) and install on your machine. It’ll ask for Integration key, Secret key, and API hostname from the application that you created. If you don’t want to use duo for local logins, make sure to check “Only prompt for Duo authentication when logging in via RDP”.
  • Go to your duosecurity dashboard and add a new user. This may be a little tricky if you use a Microsoft Live account (the same account across multiple machines). It doesn’t seem to work with duosecurity. Instead you need to enter your Windows username (Computer Management – Local Users and Groups – Find your account. Use this name in your RDP connection as well as in Duo Security.). Add Phone to your user account and activate it (will text you a link to activate).

You are all set. The next time you try to RDP to your machine, it’ll send you a push notification to your phone before you can login.

Categories: Uncategorized

Migrating Windows Server 2003 to 2012

13 Comments

This is an overview of my effort to upgrade some of our old 2003 servers to Windows Server 2012. It is quite possible there are better ways to accomplish this, as I’m just a developer and server upgrade is not something I do… well it was the first time I did it.

Migrating IIS 6.0 to 8.5

First, I needed to migrate IIS applications, app pools and app pools account. In order to automate this as much as possible, I installed Microsoft Web Platform installer on 2003 and Web Deploy 3.5 (The Web Deployment Tool). I used this guide http://www.iis.net/learn/publish/using-web-deploy/synchronize-iis-60-web-sites to help me.

Create backup on IIS6: iisback /backup /b PreWebDeploy

View dependencies on IIS 6: msdeploy -verb:getDependencies -source:metakey=lm/w3svc/1

Create package on IIS 6:

“C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe” -verb:sync  -source:metakey=lm/w3svc/1 -dest:package=C:\YourExportedPackage.zip,encryptPassword=YourPassword  -enableLink:AppPoolExtension

The password is required since we are exporting App Pools and the identities they use (by specifying enableLink:AppPoolExtension).

Run whatif analysis on IIS 2012:

“C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe” -verb:sync -source:package=c:\YourPackage.zip,encryptPassword=YourPassword -dest:metakey=lm/w3svc/1 -whatif > msdeploysync.log  -enableLink:AppPoolExtension

This will run what-if analysis without actually migrating anything. Check the log and install needed dependencies. Once all dependencies are installed, run the actual migration:

“C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe” -verb:sync -source:package=C:\YourPackage.zip,encryptPassword=YourPassword -dest:metakey=lm/w3svc/1 -enableLink:AppPoolExtension

 Another way (this does not copy the content, so you have to copy the folders with sites contents):
[appcmd seems to be available only starting with IIS7. Thanks to Nick for the correction.]
Run On Source:

C:\Windows\System32\inetsrv\appcmd list apppool /config /xml > C:\ apppools.xml

C:\Windows\System32\inetsrv\appcmd list site /config /xml > C: \sites.xml

Run On Destination:

C:\Windows\System32\inetsrv\appcmd add apppool /in < C:\apppools.xml

C:\Windows\System32\inetsrv\appcmd add site /in < C: \sites.xml

Migrating Shares and related permissions

First, create all of the folders for the shares. Then export the whole folder from the registry: Created registry export for the whole folder from 2003: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Shares

Restore it on the destination server. This almost takes care of all the shares, except for NTFS permissions.

To copy NTFS permissions run on source:

Icacls C:\YourFolderThatNeedsNtfsPermissionesCopied  /save ExportedFileWithPermissions.txt /t

Run on destination:

Icacls C:\ /restore ExportedFileWithPermissions.txt

 

Migrate Users and Groups

First, install Windows Server Migration. Then use SmigDeploy to migrate users and groups.

Run on Destination (some parameters may be different for other configurations. Google SmigDeploy):

SmigDeploy.exe /package /architecture X86 /os WS03 /path C:\userMigrationTool

Go to Source server and run from userMigrationTool folder (created in a previous step). This will register SmigDeploy on source.

.\Smigdeploy.exe

Run on source:

Export-SmigServerSetting -User All -Group -Path C:\YourMIgrationFolder -Verbose

It’ll ask you a password. Pick one.

Run on destination:

Import-SmigServerSetting -Group -Path C:\YourMigrationFolder -Verbose

 

COM

Since I needed to migrate some COM’s, I had to add a feature COM+ Network Access to enable COM.

Tasks

Open Task Scheduler on destination.

Go to Action – Connect to another Computer. Connect to your source server.

Export the tasks to a temporary location as xml files. I didn’t see a way to export them all at once, so I did it one by one.

Open Task Scheduler on your destination again. Import the tasks.

It may pop up a message saying the account that you used to set up the task needs “Log on as batch job” privileges. In that case, follow a few more steps:

Run secpol.msc /s

Select “Local Policies” in MSC snap in

 Select “User Rights Assignment”

 Right click on “Log on as batch job” and select Properties

Click “Add User or Group”, and include the relevant user.

Categories: Uncategorized Tags: Tags: