It is possible to use both NAT and Static Filters together on one RRAS server. even though RRAS Static Filters are stateless and NAT requires stateful firewall.
If you view the NAT Session Mappings (right-click>view Mappings) while a NAT session is active, you'll see 3 IP addresses per session: public, private, and remote. I added both the public ip and private ip/range to a "Drop all packets except..." Inbound Static Filter on my "public" RRAS interface(s).
Inbound static filters on "public" NAT interface(s) in RRAS "General" section:
1: Source: Any, Destination: "public" ip, 255.255.255.255 subnet (to isolate to single IP address)
2: Source: Any, Destination: "private" ip/range (10.10.10.0, 255.255.255.0 for /24 subnet for example)
This appears to allow NAT (Any > Public) and forwarding (Any > Private) to occur, and excludes other undesired routing.
Seems would be able to set the second filter as public>private, but this didn't work for me, I needed Any>Private
Wednesday, April 8, 2020
Thursday, April 24, 2014
How to prevent access to console session (Session 0) WITHOUT disabling Interactive Services Detection (UI0Detect)
I have a server running an interactive service. This service's GUI can only be accessed through Microsoft's Interactive Services Detection (UI0Detect) service. I wanted Administrators to be able to access the GUI but not by anyone in the Remote Desktop Users group. Initially i had some Logon/Logoff and Task Scheduler scripts running to automatically stop/disable the UI0Detect service when it was not needed but this was less than elegant and not foolproof. So I found a better way via WMI!. This disables access to the ‘Console’ session (session 0) by members of the ‘Remote Desktop Users’ group. Took me a bit of googling and trial/error to figure out how to compose the command properly, but it works! The UI0Detect GUI window no longer displays on Remote Desktop User sessions. The commands can be customized as needed! See helpful links below
You’d think Microsoft would have this configured as a setting somewhere in group policy or security policy but I didn’t find it!
wmic RDAccount where "TerminalName='Console' and AccountName like '%Remote Desktop Users%'" call delete
in case you want to un-do this setting, the command is:
wmic RDPermissions where "TerminalName='Console'" call AddAccount "BUILTIN\Remote Desktop Users", 1
http://serverfault.com/questions/481411/restrict-rdc-console-session-for-administrator-only-in-windows-2003-server
http://web.archive.org/web/20130616045724/http://ts.veranoest.net/ts_faq_administration.htm#console_permission
http://support.microsoft.com/kb/290720/EN-US
You’d think Microsoft would have this configured as a setting somewhere in group policy or security policy but I didn’t find it!
wmic RDAccount where "TerminalName='Console' and AccountName like '%Remote Desktop Users%'" call delete
in case you want to un-do this setting, the command is:
wmic RDPermissions where "TerminalName='Console'" call AddAccount "BUILTIN\Remote Desktop Users", 1
http://serverfault.com/questions/481411/restrict-rdc-console-session-for-administrator-only-in-windows-2003-server
http://web.archive.org/web/20130616045724/http://ts.veranoest.net/ts_faq_administration.htm#console_permission
http://support.microsoft.com/kb/290720/EN-US
Wednesday, August 24, 2011
Run separate explorer window as Admin
This can be accomplished in 2 ways:
1. best, most reliable method, uses undocumented /separate switch, launches explorer in a separate process
runas /u:domain\username "explorer.exe /separate"
2. Per-user setting, but can be set in default user profile so that it works for all users
in an explorer window: Folder Options>View tab>Advanced Settings>Launch folder windows in a separate process.
If this setting is enabled, then the command below will work (without the /separate switch)
runas /u:domain\username explorer.exe
1. best, most reliable method, uses undocumented /separate switch, launches explorer in a separate process
runas /u:domain\username "explorer.exe /separate"
2. Per-user setting, but can be set in default user profile so that it works for all users
in an explorer window: Folder Options>View tab>Advanced Settings>Launch folder windows in a separate process.
If this setting is enabled, then the command below will work (without the /separate switch)
runas /u:domain\username explorer.exe
Wednesday, August 17, 2011
Change Windows 7 critical battery level
POWERCFG -SETDCVALUEINDEX a1841308-3541-4fab-bc81-f71556f20b4a e73a048d-bf27-4f12-9731-8b2076e8891f 9a66d8d7-4ff7-4ef9-b5a2-5a326ca2a469 1
POWERCFG -SETACVALUEINDEX a1841308-3541-4fab-bc81-f71556f20b4a e73a048d-bf27-4f12-9731-8b2076e8891f 9a66d8d7-4ff7-4ef9-b5a2-5a326ca2a469 1
Power Scheme GUID: a1841308-3541-4fab-bc81-f71556f20b4a (Power saver)
Subgroup GUID: e73a048d-bf27-4f12-9731-8b2076e8891f (Battery)
Power Setting GUID: 9a66d8d7-4ff7-4ef9-b5a2-5a326ca2a469 (Critical battery level)
Current DC Power Setting Index: 1 (1%)
POWERCFG -SETACVALUEINDEX a1841308-3541-4fab-bc81-f71556f20b4a e73a048d-bf27-4f12-9731-8b2076e8891f 9a66d8d7-4ff7-4ef9-b5a2-5a326ca2a469 1
Power Scheme GUID: a1841308-3541-4fab-bc81-f71556f20b4a (Power saver)
Subgroup GUID: e73a048d-bf27-4f12-9731-8b2076e8891f (Battery)
Power Setting GUID: 9a66d8d7-4ff7-4ef9-b5a2-5a326ca2a469 (Critical battery level)
Current DC Power Setting Index: 1 (1%)
Google Chrome prevents Windows 7 from sleep
see http://www.google.com/support/forum/p/Chrome/thread?tid=3b1d41b0663a4d40&hl=en
in a command window:
powercfg -requestsoverride PROCESS chrome.exe awaymode display system
to remove the override:
powercfg -requestsoverride PROCESS chrome.exe
source:
http://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/AvailabilityRequests.docx.
more far-reaching fix if you have a 'Pro' version of windows 7 - editing local group policy:
start>Run>gpedit.msc
Computer Configuration>Administrative Templates>System>Power Management>Sleep Settings>
Set
Allow Applications to Prevent Automatic Sleep (On Battery)
and
Allow Applications to Prevent Automatic Sleep (Plugged In)
to disabled.
but this applies to ALL applications, not just chrome.
in a command window:
powercfg -requestsoverride PROCESS chrome.exe awaymode display system
to remove the override:
powercfg -requestsoverride PROCESS chrome.exe
source:
http://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/AvailabilityRequests.docx.
more far-reaching fix if you have a 'Pro' version of windows 7 - editing local group policy:
start>Run>gpedit.msc
Computer Configuration>Administrative Templates>System>Power Management>Sleep Settings>
Set
Allow Applications to Prevent Automatic Sleep (On Battery)
and
Allow Applications to Prevent Automatic Sleep (Plugged In)
to disabled.
but this applies to ALL applications, not just chrome.
Sunday, January 2, 2011
File System links in Windows Vista/7
MKLINK.exe
no argument: FILE symbolic link (like a shortcut but not stored as a .lnk file)
/D: DIRECTORY symbolic link (like a shortcut but not stored as a .lnk file)
/H: FILE junction (hard link) (think of data deduplication; only one physical FILE but multiple logical locations)
/J: DIRECTORY junction (hard link) (think of data deduplication; only one physical DIRECTORY but multiple logical locations)
I've only ever used /J for directory links.
Directory Linker, a nifty GUI for creating symbolic links: http://dirlinker.codeplex.com/
NOTE: The first two methods use 'symbolic links' which may fail when used across network drive mappings. ("The symbolic link cannot be followed because its type is disabled") In this case, the fsutil utility may need to be used to enable the various symbolic link 'types': R2R, L2L, L2R, R2L.
fsutil behavior set SymlinkEvaluation L2L:1 R2R:1 L2R:1 R2L:1
"fsutil.exe" can be made to show what arguments it takes by simply running:
fsutil behavior set /?
The symbolic-link resolution behavior is set on the machine that accesses a given link, not the machine that hosts it.
The behavior codes for "fsutil.exe", namely "L2L", "L2R", "R2L", and "R2R", mean the following:
"L" stands for "Local", and "R" for "Remote" (who would've thunk?)
The FIRST "L" or "R" - before the "2" - refers to the location of the link itself (as opposed to its target) relative to the machine ACCESSING the link.
The SECOND "L" or "R" - after the "2" - refers to the location of the link's target relative to the machine where the LINK itself is located.
Thus, for instance, enabling "R2L" means that you can access links located on a remote machine that point to targets on that same remote machine.
More Info:
stackoverflow.com
no argument: FILE symbolic link (like a shortcut but not stored as a .lnk file)
/D: DIRECTORY symbolic link (like a shortcut but not stored as a .lnk file)
/H: FILE junction (hard link) (think of data deduplication; only one physical FILE but multiple logical locations)
/J: DIRECTORY junction (hard link) (think of data deduplication; only one physical DIRECTORY but multiple logical locations)
I've only ever used /J for directory links.
Directory Linker, a nifty GUI for creating symbolic links: http://dirlinker.codeplex.com/
NOTE: The first two methods use 'symbolic links' which may fail when used across network drive mappings. ("The symbolic link cannot be followed because its type is disabled") In this case, the fsutil utility may need to be used to enable the various symbolic link 'types': R2R, L2L, L2R, R2L.
fsutil behavior set SymlinkEvaluation L2L:1 R2R:1 L2R:1 R2L:1
"fsutil.exe" can be made to show what arguments it takes by simply running:
fsutil behavior set /?
The symbolic-link resolution behavior is set on the machine that accesses a given link, not the machine that hosts it.
The behavior codes for "fsutil.exe", namely "L2L", "L2R", "R2L", and "R2R", mean the following:
"L" stands for "Local", and "R" for "Remote" (who would've thunk?)
The FIRST "L" or "R" - before the "2" - refers to the location of the link itself (as opposed to its target) relative to the machine ACCESSING the link.
The SECOND "L" or "R" - after the "2" - refers to the location of the link's target relative to the machine where the LINK itself is located.
Thus, for instance, enabling "R2L" means that you can access links located on a remote machine that point to targets on that same remote machine.
More Info:
stackoverflow.com
Subscribe to:
Posts (Atom)
