Archive for February 23rd, 2015

Security: cloud-client.info domain blacklist

Monday, February 23rd, 2015

Hello Folks,

like already mentioned in our blog registration form we will publish domains which are used by spam bots, malware and virus senders and/or domains where users perform suspicious actions against our websites.

So here is our first list called “domains_we_dont_like” containing 643 domains (collected by our websites in the last 12 months), you can use this list as blacklist for mail servers or to protect other webhostings/services. We do also allow the use of this list for other security related use and to prevent these actions in the future. Please note: There are also a couple popular email providers like GMX, Yahoo or Hotmail in the list, as long these mail provider can’t prevent the massive misuse of there services we have no reason to remove these providers from the list. All listed domains are used a couple of times for different suspicious activities, if you are responsible for one of these domains and you want to be removed you can get in contact with us to discuss how you can be removed from the list.

The list will updated from time to time.

Cheers

Michael

 

Info: What clients can be used with the Windows Server 2012 Work Folder feature?

Monday, February 23rd, 2015

Hi Folks,

very often asked during workshop’s, what Clients can be used with the Windows Server 2012 Work Folder feature. Currently the following Desktop/Mobile OS’s are supported:

– Windows 8(.x) x86 and 64-Bit and Windows RT: Work Folder support is coming directly with the OS.
– Windows 7 x86 and 64-Bit; Work Folder support needs do be downloaded from here and to be installed.
– Apple Ipad (IOS): Work Folders app for devices is available in the Apple store

Still unsupported:

– Windows Phone 8(.x)
– Android
– Linux
– Webbrowser based access

It’s quite funny (no, not really) to see how Microsoft create good features/products and directly do the best to kill this advantage by not providing a client for several major OS’s in the same or nearly equal way.. Similar to the still existing Remote Desktop Gateway gap for Windows Phone or a missing Lync/RDP Client for Linux. Before talking about cloud as the future of Microsoft it’s maybe helpfull to unterstand that “cloud” means a bunch of end devices and it still seams that Microsoft did not realize this small but important fact. ..don’t misunterstand me, i really like these features/products but i really don’t like to explain customers/users all the time why they can’t use these features in there infrastructure regarding the lack of a well developed client infrastructure. Maybe it will be better with Windows Server vNext… …or Skype for Business. 🙂 Maybe iam also to spoilt by the existing Citrix client environment… 🙂 🙂

Cheers

Michael

Tip: Using Windows Server 2012 R2 workfolders with Remote Desktop/Citrix XenApp based Terminal Servers/VDI’s

Monday, February 23rd, 2015

Hi Folks,

already a year ago I wrote an article how you can change the default port for the Windows Server 2012 R2 workfolder role/feature. By default the Workfolder feature works a “sync” share for Windows 8.1 based desktop systems/VDI’s like a self hosted OneDrive/Google Drive. In the article here i’ve also mentioned that these Workfolders can be mapped to a Terminal Server based on Microsoft Remote Desktop Services and Citrix XenApp.

I got a couple of request how the setup should look like so here is a small guide.

1) Install the Workfolder feature (can be found in the file server roles setup) to a Windows Server 2012 R2, make sure that no other feature or application block the SSL Port 443 or modify the Port by following our guide here. During the Workfolder configuration you will be ask what “folder” name should be used, username or username@domain; use username here only.
2) After the workfolder setup is done create a new smb fileshare pointing to your workfolder directory, make sure to setup the exact similar user rights like set for the original workfolder directory. Open Windows Explorer at the Workfolder Server and check the User Rights for the Workfolder and adopt this configuration for the Workfolder Share. If not done right you may mismatch the Userrights and Users may can access files from other Users or loose the Workfolder access.
3) After this is done open the Group Policy Management Console (GPMC) and create a new policy linked to your Terminal Server OU
4) Edit the new policy and browse to User Configuration->Preferences->Windows Settings->Drive Maps and create two new mapping entries, in my sample i map the workfolder shares to drive U: (Click picture to enlarge). Location should be always \\*your_workfolder_server*\*Workfolder_Sharename*\%USERNAME%.

Create the share configuration

Create the share configuration

Update the share configuration

Update the share configuration

Final view

Final view

5) Close the policy and logon to a terminal server to verify the configuration, all modified content within the drive U: will be synced to the user devices and vice versa.

Cheers

Michael

P.S.: This can be also used with any Microsoft Desktop OS based VDI if you want to use the workfolder sync feature only for physical devices (which make sense to prevent double data in the Workfolder Share and the User Profile/Personal VDisk). If you install the file resource manager to the Workfolder Server to set quotes (like 250MB availabe space per User) make sure to set the similar quote also for the fileshare!

P.S.2: The screenshot’s are coming from a production environment, that why the location path is pixeled.

 

Tip (Update): Setting the Startmenu for Terminal Server Users working with Windows Server 2012 R2

Monday, February 23rd, 2015

Hi Folks,

maybe you noticed already that the handling for the Startmenu is very different between Windows Server 2012 R2 and old Windows Server versions like 2008 R2 and so on. These configurations will also work for Windows 8.1 incl. Windows 8.1 RT (Require enabled Group Policy Client service or local Policy setup).

A lot of Administrator want to modify the Startmenu and to offer a standard view for all User, this can be a very tricky task and i saw already a lot of funny way’s how to edit it. To clear this up a little bit i would like to suggest you two ways how this task can be done, the first variant will introduce you a “static” way. Static means the User will get a “fixed” Startmenu without the ability to change something here. The second way will introduce you a way to create a “default” Starmenu  that can be modified by the User. So you can figure out which way works best for you, depending on the scenario, for example if you deploy Terminal Server thru Citrix Provisioning with an static base image it doesn’t make sense to give the User the ability to modificate the Startmenu in any way. These configurations can be done thru local and/or domain policies.

Way 1 – Static Startmenu for all users

1) Login as User with Administrator permissions and install/setup all Applications you want to provide to the user.
2) Setup Starmenu like it should be “published” to the users.
3) After you have finished the final look and feel create a new SMB Share on any fileserver in your environment, call it “startmenu” or something similar.
4) At the server where you have created the Startmenu “User” view open the powerhell with administrative permissions and enter the command: “Export-StartLayout -Path \\*yourfileserver*\*sharename*\StartMenu.xml -As XML”
5) Logoff from the Terminal Server and start the GPMC (Group Policy Management Console) on any domain system where the GPMC is available.
6) Create a new policy (or use an existing Policy) and link it to the OU where your Terminal Server Users can be found and click the right mouse button->Edit.
7) In the policy browse to User Configuration->Policies->Administrative Templates->Start Menu and Taskbar and edit here the setting Start Screen Layout.
8) Enable the policy and set the Start Layout File to the file you have created in 4) = \\*yourfileserver*\*sharename*\StartMenu.xml

startmenustatic

9) Close the policy and make sure the policy is assigned to the right OU, after this login to the Server and verify the result.

Please note: The Startmenu can not be modified thru a User! For the Export-StartLayout command (4) you have to use the XML format for the export, the bin format can not be used thru the policy! If you assign the policies to a Computer OU like your terminal servers don’t forget to enable loopback processing!

Update: I forgot, Applications where the shortcut is not listed in %ProgramData%>Microsoft>Windows>Start Menu may dissapear after the second User Login (Notepad, Internet Explorer default entry as example). So you may have to create the Shortcuts by your own and assign it to the Startmenu before exporting the XML file. In this folder you can also setup the Applications that should be shown to the User in the “full” Starmenu applications view by editing the User permissions for each file and folder in a very simple way. As example if you want to hide the Windows Store disable the permission inheritance and set the User permissions to full access for “Domain Administrators”, “System”, “Administrators” and add the Usergroup(s) which should be able to gain access to the Applications thru the “full” Startmenu view (Arrow down button in the Startmenu). If you want to be more secure regarding the general Application access you can also combine this with the Windows Applocker feature.

Way 2 – Flexible default Startmenu for all Users (Source: Microsoft Platform)

There is also an alternative described here: Microsoft Platform, this way allows also provide write access for the users but it’s a little bit tricky to set it up and can cause issues in production.

I personal do prefer Way 1 which make more sense for the most scenarios, so i do provide only the link to the source.

Cheers

Michael