search

suzupy / noresore11

3 stars 0 forks source link

WindowsServerセットアップ #2

Open suzupy opened 6 years ago

suzupy commented 6 years ago

ToDo & 今回での変更点

疑問点

参考資料

ActiveDirectory

local user, Administrators

firewall

suzupy commented 6 years ago

ログインユーザ増減 & 管理者権限の付与

ここでのユーザはlocal userとし、ADは考慮しない

ユーザ確認

net user でユーザ一覧、net user USER で特定ユーザの詳細が閲覧できる

実行例 ``` C:\Users\noresore11>net user User accounts for \\EC2AMAZ-TLIHIM8 ------------------------------------------------------------------------------- Administrator DefaultAccount Guest noresore11 The command completed successfully. C:\Users\noresore11>net user noresore11 User name noresore11 Full Name noresore11 Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/23/2017 12:33:21 PM Password expires 12/4/2017 12:33:21 PM Password changeable 10/23/2017 12:33:21 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 10/26/2017 1:17:55 AM Logon hours allowed All Local Group Memberships *Administrators *Users Global Group memberships *None The command completed successfully. C:\Users\noresore11> ```
suzupy commented 6 years ago

ユーザ追加

管理者権限が必要. command prompt起動時に右クリックでrun as Administratorを選択する

net user USER PASSWORD /add

実行例 ``` C:\Windows\system32>net user test ThisIsPassw0rd /add The command completed successfully. C:\Windows\system32>net user User accounts for \\EC2AMAZ-TLIHIM8 ------------------------------------------------------------------------------- Administrator DefaultAccount Guest noresore11 test The command completed successfully. C:\Windows\system32> ```
suzupy commented 6 years ago

ユーザへ管理者権限を追加

net localgroup administrators USER /add

実行後net userで確認すると管理者権限が付いていないように見える GUIから確認すると管理者権限が付いている

実行例 ``` C:\Windows\system32>net localgroup administrators test /add The command completed successfully. C:\Windows\system32>net user User accounts for \\EC2AMAZ-TLIHIM8 ------------------------------------------------------------------------------- Administrator DefaultAccount Guest noresore11 test The command completed successfully. ```
debug ``` C:\Windows\System32\createUser>net user test > test C:\Windows\System32\createUser>net user noresore11 > noresore11 C:\Windows\System32\createUser>fc test noresore11 Comparing files test and NORESORE11 ***** test User name test Full Name Comment ***** NORESORE11 User name noresore11 Full Name noresore11 Comment ***** ***** test Password last set 10/26/2017 1:31:36 AM Password expires 12/7/2017 1:31:36 AM Password changeable 10/26/2017 1:31:36 AM Password required Yes ***** NORESORE11 Password last set 10/23/2017 12:33:21 PM Password expires 12/4/2017 12:33:21 PM Password changeable 10/23/2017 12:33:21 PM Password required Yes ***** ***** test Home directory Last logon Never ***** NORESORE11 Home directory Last logon 10/26/2017 1:17:55 AM ***** ``` ![image](https://user-images.githubusercontent.com/25167504/32031382-dd609e80-ba3b-11e7-818e-d5a8ac81762c.png)
suzupy commented 6 years ago

ユーザ削除

net user USER /delete

実行例 ``` C:\Windows\System32\createUser>net user test /delete The command completed successfully. C:\Windows\System32\createUser>net user User accounts for \\EC2AMAZ-TLIHIM8 ------------------------------------------------------------------------------- Administrator DefaultAccount Guest noresore11 The command completed successfully. C:\Windows\System32\createUser> ```
suzupy commented 6 years ago

※参考

スクリプトの実行方法

スクリプトの書き方

suzupy commented 6 years ago

firewall 起動

netsh advfirewall set currentprofile state on で起動

起動しているかはnetsh advfirewall show currentprofile で確認可能

実行例 ``` C:\Windows\System32\createUser>netsh advfirewall set currentprofile state on Ok. C:\Windows\System32\createUser>netsh advfirewall show currentprofile Public Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Disable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Ok. C:\Windows\System32\createUser> ```
suzupy commented 6 years ago

firewallセットアップ

有効なruleを表示

netsh advfirewall firewall show rule name=all status=enabled (あんまり見やすくない...)

設定内容からruleを絞り込む

そのような機能は無いのでPowerShellのselect-stringを使う

LocalPort: 80で絞り込む例: netsh advfirewall firewall show rule name=all | select-string "LocalPort: *80" -context 9,4

ruleを有効にする

netsh advfirewall firewall set rule name="RULE_NAME" new enable=yes

実行例 ここではBranchCache Hosted Cache Server (HTTP-In)を有効にする ``` PS C:\Windows\system32> netsh advfirewall firewall set rule name="BranchCache Hosted Cache Server (HTTP-In)" new enable=yes Updated 1 rule(s). Ok. PS C:\Windows\system32> netsh advfirewall firewall show rule name="BranchCache Hosted Cache Server (HTTP-In)" Rule Name: BranchCache Hosted Cache Server (HTTP-In) ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Domain,Private,Public Grouping: BranchCache - Hosted Cache Server (Uses HTTPS) LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 80,443 RemotePort: Any Edge traversal: No Action: Allow Ok. PS C:\Windows\system32> ```

ruleを無効にする

netsh advfirewall firewall set rule name="RULE_NAME" new enable=no

ruleを作成する

netsh advfirewall firewall add rule name="RULE_NAME" PARAMS

PARAMSはhelp参照

実行例 ここでは外からport 80,443へのアクセスを許可するwww ruleを作成する ``` PS C:\Windows\system32> netsh advfirewall firewall add rule name="www" dir=in action=allow protocol=tcp localport=80,443 Ok. PS C:\Windows\system32> netsh advfirewall firewall show rule name="www" Rule Name: www ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 80,443 RemotePort: Any Edge traversal: No Action: Allow Ok. PS C:\Windows\system32> ```

ruleを削除する

netsh advfirewall firewall delete rule name="RULE_NAME"

suzupy commented 6 years ago

ActiveDirectory インストール

基本 https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/ の通りにGUIから進めた

ただし(1)TCP/IPv4の設定ではDNSのみ指定し、IPは指定しなかった IPはAWSのコンパネで管理しているのでローカルで指定する必要を感じなかった

domainはad.local , DSRM passwordは 3OQfqgFWD1pe5srRiD5F

Get-ADDomain, Get-ADForest実行結果 ``` PS C:\Users\Administrator> Get-ADDomain AllowedDNSSuffixes : {} ChildDomains : {} ComputersContainer : CN=Computers,DC=ad,DC=local DeletedObjectsContainer : CN=Deleted Objects,DC=ad,DC=local DistinguishedName : DC=ad,DC=local DNSRoot : ad.local DomainControllersContainer : OU=Domain Controllers,DC=ad,DC=local DomainMode : Windows2016Domain DomainSID : S-1-5-21-1954754111-934380489-3510124825 ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=ad,DC=local Forest : ad.local InfrastructureMaster : EC2AMAZ-TLIHIM8.ad.local LastLogonReplicationInterval : LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ad,DC=local} LostAndFoundContainer : CN=LostAndFound,DC=ad,DC=local ManagedBy : Name : ad NetBIOSName : AD ObjectClass : domainDNS ObjectGUID : fc808273-fef4-4130-af7b-c7e0127c9451 ParentDomain : PDCEmulator : EC2AMAZ-TLIHIM8.ad.local PublicKeyRequiredPasswordRolling : True QuotasContainer : CN=NTDS Quotas,DC=ad,DC=local ReadOnlyReplicaDirectoryServers : {} ReplicaDirectoryServers : {EC2AMAZ-TLIHIM8.ad.local} RIDMaster : EC2AMAZ-TLIHIM8.ad.local SubordinateReferences : {CN=Configuration,DC=ad,DC=local} SystemsContainer : CN=System,DC=ad,DC=local UsersContainer : CN=Users,DC=ad,DC=local PS C:\Users\Administrator> Get-ADForest ApplicationPartitions : {} CrossForestReferences : {} DomainNamingMaster : EC2AMAZ-TLIHIM8.ad.local Domains : {ad.local} ForestMode : Windows2016Forest GlobalCatalogs : {EC2AMAZ-TLIHIM8.ad.local} Name : ad.local PartitionsContainer : CN=Partitions,CN=Configuration,DC=ad,DC=local RootDomain : ad.local SchemaMaster : EC2AMAZ-TLIHIM8.ad.local Sites : {Default-First-Site-Name} SPNSuffixes : {} UPNSuffixes : {} PS C:\Users\Administrator> ```
ghost commented 6 years ago

わかる範囲で返答します!

command promptから管理者権限付与後net userでは管理者権限が確認できない原因が分からない

net localgroup administrators USER /addでAdministrators追加した場合、 ローカルグループのAdministratorsグループに追加されます。 このときの確認方法はnet user USER名で実行すると、下の方に所属グループが表示されている(Local Group Memberships)ので、これで確認できます。 またAdministratorとAdministratorsは別物で、sの方がグループです。

``` C:\Windows\system32>net user noresore11 User name noresore11 Full Name noresore11 Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/23/2017 12:33:21 PM Password expires 12/4/2017 12:33:21 PM Password changeable 10/24/2017 12:33:21 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 10/30/2017 1:34:25 PM Logon hours allowed All Local Group Memberships *Administrators *Users Global Group memberships *Domain Users The command completed successfully. ```

ADのdomainは任意の名前にしてしまってよいか

たぶん良いと思います。DNSはBINDに持たせているので特に問題ないはず・・・?

現時点でADに追加すべき設定はあるか

wanacry対策でSMBv1を無効化させると良いと思います。 ※削除だと再起動が必要&SMBv1が後から必要な場合戻すのも手間なため無効化推奨


Powershellで実行
※Windows 2016でもコマンドが有効なことを確認済み
検出: Get-SmbServerConfiguration | Select EnableSMB1Protocol
無効化:    Set-SmbServerConfiguration -EnableSMB1Protocol $false
有効化:    Set-SmbServerConfiguration -EnableSMB1Protocol $true

参考URL https://support.microsoft.com/ja-jp/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

yuuzi commented 6 years ago

CVE-2017-7269でWebDAVも無効化しましょう