TrueNAS and Windows clients – NTLMv2 issues

Situation – TrueNAS (or FreeNAS, or other Samba servers) serving a SMB share with NTLMv1 authentication disabled. A standalone Windows 10 system can connect to it, but a domain joined Win 10 system constantly claims wrong password.

The culprit here was a old group policy setting in the domain:

Network Security: LAN Manager authentication level

(found in Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options)

This was set to Send LM & NTLM - use NTLMv2 session security if negotiated, for backwards compatibility reasons with Win 2000 boxes and the like. This affects the registry key lmcompatibilitylevel (setting it to 1) under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

Unfortunately this is a bit misleading. According to this article:

Security Watch: The Most Misunderstood Windows Security Setting of All Time

This should negotiate better session security if possible, but does not actually send NTLMv2 requests or responses.

Thus trying to connect to a TrueNAS SMB share fails unless NTLMv1 Auth is explicitly enabled (in the service settings).

Ideally the group policy should be removed and the normal setting restored (NTLMv2 only). Or we can enable NTLMv1 on the share if it isn’t going to be a permanent setup.

Secure disk wipe with Windows format command

From Windows 8 Microsoft snuck in a refinement to the format command. It is now possible to get it to do multi-pass random-number disk wipes. From the help (Win 10 20H2):

 /P:count  Zero every sector on the volume. After that, the volume
           will be overwritten "count" times using a different
           random number each time. If "count" is zero, no additional
           overwrites are made after zeroing every sector. This switch
           is ignored when /Q is specified.

So to do a single-pass random wipe:

  • Repartition disk with one partition (if desired) and give it a drive letter (let’s say F for this example). Probably a good idea to remove any OEM, EFI, recovery partitions like this. A quick way to do this is to use the clean command in diskpart.
  • Run format F: /P:1
  • If you feel like it finish up with a clean command in diskpart.

This should do a pass with all zeros, and then a random-number pass.

Note this isn’t a full ‘write random data to every block in the drive’ erase, but should still be secure enough for most purposes.

Triggering redetection of network type in Server 2012

Had an issue where a Windows Server 2012 R2 system could not be accessed by RDP or remote management, as the network type had changed to Private (and thus the firewall wasn’t letting these connections through). File sharing was still working.

Found solution via SpiceWorks forum. Restart the Network Location Awareness service (needed to log on to system locally to do this). This triggered a redetection and the type wend back to Domain. RDP etc then worked again.

Upgrading from m.2 SATA to Crucial NVMe drive on Latitude 7490

Scenario:

Dell Latitude 7490 with existing SATA m.2 SSD. We want to upgrade to larger NVMe drive (Crucial 1Tb).

First tried new drive in Startech NVMe USB enclosure (M2E1BMU31C). Downloaded Crucial cloning software (locked version of Acronis). Problem – not recognised as Crucial drive so Acronis won’t run.

Posts suggest that the new drive should be installed in the laptop first and the system booted via USB. So take current drive out and put it in a SATA USB m.2 enclosure. Attach this to USB-C port and reboot.

This doesn’t work. What does work is attaching it to a USB-A port instead. Then it boots with no intervention.

After that the disk was clones (with no reboot necessary!), the old dive disconnected and the system booted happily from the new drive.

Setting Windows 10 web proxy per-user

There are a couple of GUI routes for setting the system web proxy for Windows 10 – the old control panel page (via Network and Internet – Network Options):

Windows 7 and later Control Panel system web proxy settings panel.

And the new settings style:

Windows 10 system Proxy settings new style.

Note that the new style does not warn you that you may not be allowed to set the proxy – you can change the settings, but if you select another panel and then go back to Proxy your settings will be gone.

The reason for this is often that the system is configured to set the proxy at the machine level, not per-user. On domain systems this can be changed using Group policy. On standalone systems this can be changed using a registry key, located under

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\internet Settings

There is a DWORD key here called ProxySettingsPerUser (if not, create it). 0 means the proxy is set at machine level, 1 enables per-user settings.

If you change this to 1 then you should immediately be able to change the proxy settings.

Notes on setting up Canon PiXMA iX6850 A3 inkjet

Windows driver – IJ Network tool does allow you to input IP address eventually (Mac version does not). Conveniently our print server was on the same subnet as the printer, so it found it straight away. Driver can be installed on Server 2012 and shared, but cannot be shared as a LPD queue (as Canon don’t use a standard IP port).

Printer does function as an IPP printer, and LPD (if enabled).

On the Mac, use the IP address of the printer – it doesn’t communicate properly with the DNS name.

OneDrive for Business High CPU

Had an issue where OneDrive for Business (installed with Office 365) was constantly using one CPU core. None if the fixes involving the cache or resetting the client worked. The problem seems to have started with recent (possibly after Office 365 1712 8827.2148) updates. What did work was the solution in this thread:

https://social.technet.microsoft.com/Forums/en-US/c968088a-cabb-45bb-b171-0fe937ac1e1c/onedrive-for-business-uses-high-cpu-since-office-365-1712-88272148?forum=sharepointgeneral

Condensed version: Stop using the old client (groove.exe) and use the personal client instead, which now seems to work (at least, the latest Windows 10 version) with business accounts as well.

(Note that this doesn’t apply to connections to onsite hosted sharepoint drives – there is apparently a fix coming sometime.)

The sequence is:

  1. Stop the OneDrive for Business client (right-click the system tray icon and choose exit, or kill it otherwise).
  2. Disable it from starting (use msconfig as an easy way to do this).
  3. Remove the existing OneDrive for Business folders (move them to a backup location)
  4. Open the personal OneDrive settings.
  5. Add an account and connect to the business account.

 

Setting proxy in Windows Server 2016 for the Update service

In Windows Server 2016 the usual trick of just setting a proxy server in IE doesn’t seem to work. The proxy can be set from the command line, but there is some contradictory advice out there. What worked for me was:

netsh winhttp set proxy proxy-server="your.proxy.server:port" bypass-list="*.your.local.domain"

This should result in:

Current WinHTTP proxy settings:

    Proxy Server(s) : your.proxy.server:port
    Bypass List : *.your.local.domain

You can also check this with

netsh winhttp show proxy

You are meant to be able to import this from IE, but that gave me a syntax error.

You may need to restart the update service after this to kick it into life.

Forcing Windows 10 Enterprise to install on a system with a Home version key in the BIOS

Problem – I had a system (HP Spectre) with Windows 10 Home edition which I wanted to upgrade to Enterprise (to get BitLocker). The trouble is, even when using the Windows 10 Enterprise install ISO and a clean install it installed Home. This is because it detects a Home key embedded in the BIOS and automatically installs it without giving you a choice.

You can apparently force it to install the version you want by including EI.cfg and PID.txt files in the install ISO (or USB key). I had a look at our ISO, which does include EI.cfg. The contents are:

[EditionID]
Enterprise

[Channel]
Volume

[VL]
1

Interestingly, according to the Microsoft documentation this is wrong – [Channel] should be either Retail or OEM…

There is no PID.txt file. According to some people this is also required. I was going to try this, but then found a simpler solution. You can run setup.exe from the DVD (assuming you have a functioning install already, like I had here) and include command line switches. Including specifying the product key.

setup.exe /PKey NPPR9-FWDCX-D2C8J-H872K-2YT43

(List of KMS client product keys)

Hey presto, this time the upgrade wizard only gives you the option of a clean(ish) install (as Win 10 Home to Enterprise is not a supported in-place upgrade for some reason), and the summary explicitly confirms you are upgrading to Enterprise.

And then you wait ages…

Note that if you have a system with Pro, then in theory you can change the product key (there are several ways to do this) to get to Enterprise. On the other hand, Pro can join domains and has BitLocker anyway.