vCenter Server 7.0 Installation
vCenter Server 7.0 Installation !!
VMware vSphere 7.0 has been announced by VMware and available from 02 April 2020. There are so many new features introduced on this new vCenter server version 7.0.
Hide Folders Under Share with Access Based Enumeration
So todays challenge. Hide visible folders under share to users who don’t have access.
Example
We create some new shares. Folders are then created under the share and NTFS permissions set.
Share Name : Shared Folder
Folder :
- IT (NTFS Permissions – IT group Only)
- HR (NTFS Permissions – HR group Only)
- PAYROLE (NTFS Permissions – Payrole group Only)
- ALL USERS (NTFS Permissions – HR Only)
I created a share. When logged in as a user, i could see all the folders under the shared folder.
As you would expect, I could only open the folders I had access to.
So, is this suitable? It doesnt let users in to folders they dont have access to, but it does tell them which folders are there.
So this is where “Access Based Enumeration” might come in. This feature hides folders from users that do not have permission to that folder.
Access based enumeration (ABE) came out in Windows Server 2008.
How to setup Access Based Enumeration:
- Launch “SERVER MANAGER” (Server 2012 or Server 2016)
- Click on “FILE AND STORAGE SERVICES”
- Click on “SHARES”
- Right click on each share you want to set ABE, select “PROPERTIES”
- Click “SETTINGS”
- Click “ENABLE ACCESS BASED ENUMERATION”
The next time a user logs in and views the share only users that have permissions to that folders under the share will be able to see them. The folders they dont have permission to will not appear.
—Always try things in a lab environment, always seek further information before implementing from the vendor i.e Microsoft.com —
Remote Desktop Server – Customisation and Useful GPO settings
User cannot change an expired user account password in a remote desktop session that connects to a Windows Server 2008 R2-based RD Session Host server in a VDI environment
https://support.microsoft.com/en-us/kb/2648402
- 1. Open the following file: %systemDrive%/windows/web/rdweb/pages/web.config
- Set the following value to TRUE: <!– PasswordChangeEnabled: Provides password change page for users. Value must be “true” or “false” –> <add key=”PasswordChangeEnabled” value=”false” />
Disable IE security in a GPO using reg change
Set Trust sites
http://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
Setup SSO & disable remote app prompt
Deploying RD Session Host Servers or Farms
How to Remove the Access Messages and Enable the Single Sign On for RemoteApps
Deploy Certificates by Using Group Policy
Enable RDC Client Single Sign-On for Remote Desktop Services
https://technet.microsoft.com/en-us/library/cc742808.aspx
https://technet.microsoft.com/en-us/library/cc742808.aspx
How to resolve the issue: “A website wants to start a remote connection. The publisher of this remote connection cannot be identified.”
Do you trust the publisher of this RemoteApp Program? prompt even though the Publisher is trusted?
Create a Self-Signed Server Certificate in IIS 7
https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx
IT: How To Create a Self Signed Security (SSL) Certificate and Deploy it to Client Machines
Makecert.exe (Certificate Creation Tool)
https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx
Tested example (sets the start date to 30.6.15 and the end dates is 20yrs+ later.
makecert.exe -r -pe -n “CN=rdscluster.test.world.com” -eku 1.3.6.1.5.5.7.3.1 -b 06/30/2015 -ss my -sr localmachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 “E:\Media\Cert\rdscluster.test.world.com.cer”
About Digitally Signing RemoteApp Programs
https://technet.microsoft.com/en-gb/library/cc754499.aspx
Create RDS Farm – Check list
https://technet.microsoft.com/en-us/library/cc753891.aspx
Install the RD Connection Broker Role Service
https://technet.microsoft.com/en-us/library/cc732076.aspx
Add Each RD Session Host Server in the Farm to the Session Broker Computers Local Group
https://technet.microsoft.com/en-us/library/cc753630.aspx
Configure an RD Session Host Server to Join a Farm in RD Connection Broker
https://technet.microsoft.com/en-us/library/cc771383.aspx
Configure DNS for RD Connection Broker Load Balancing
https://technet.microsoft.com/en-us/library/cc772506.aspx
Limit Profile Size
http://www.techrepublic.com/blog/the-enterprise-cloud/limit-profile-size-with-group-policy/
Note Files deleted from a network share do not go to the recycle bin. They are deleted permanently
Empty recycle bin at log off… GPO log off script –
User Configuration – POLICIES. WINDOWS SETTINGS – SCRIPTS – Logon/Logoff
Add Empty recycle bin batch
http://www.cryer.co.uk/brian/windows/batch_files/how_to_empty_recycle_bin.htm
e:
cd \$RECYCLE.BIN
del /s /q .
Types of profiles
User Configuration – Administrative Templates – System – Logon/Logoff
SHOW and HIDE ALL DRIVES
- A Create one policy for admins with show all drives https://support.microsoft.com/en-us/kb/231289
- Create a second policy for all users with hide all drives and a deny apply policy for admins https://support.microsoft.com/en-us/kb/816100
- Third policy has all the terminal server config details
Temporary Profiles Loading
Deploy Remote Desktop Server 2012 R2
Only a demo a view options of 2012 RDS
Remote Desktop Roles in server 2012 R2
- Remote Desktop Session Host – Hosts session
- Remote Desktop Connection Broker – Brokers the sessions
- Remote Desktop Web access – Web access
Deployment Options
- Quick Start – Stand alone server (deploys all roles to one server )
- Standard install – Multiple servers (deploys roles over multiple servers)
Quick Start – Stand alone server
- Installing session based desktop
Server 2012 forces you to create a farm with all three roles installed (session host, connection broker and web access).
- Installing Remote Desktop
Tip : Avoid adding the role using role services – support by Powershell only. Use the remote desktop services wizard for installation.
Use session-based desktop, or Virtual machine based desktop deployment (hyper-v and client).
Session based deployment
- On the RDS server
- On the Dashboard – Add roles and features
- Next
- Select Remote desktop services installation (Don’t use role based)
- Click next
- Click quick start for stand alone (alternative select standard)
- Select session based deployment
- Select current server – You must be logged in as a domain administrator
- Select restart automatically
- Click deploy
- Login to finish the deployment ( if the deployment fails, redo the install process and the install will complete)
- On the Dashboard, scroll to the right.
- Select quick session collection (remote app programs will appear hear)
Standard install – Multiple servers deployed
- Installing session based desktop
Standard will deploys roles over multiple servers
For this demo setup 3 RDS servers required
- RD Session Host
- RD Web Access
- RD Connection Broker
Note – Collections will need to be created manually and RemoteApps published manually
Installing Remote Desktop
Tip : Avoid adding the role using role services – supported by Powershell only.
Use the remote desktop services wizard for installation.
Use Session-based desktop
- RDS server (Connection Broker)
- On the Dashboard – Select all servers
- Right click all servers and select add servers (add the other two servers)
- Note : All servers required will now be visible
- On the Dashboard – Add roles and features
- Next
- Select Remote desktop services installation (Don’t use role based)
- Click Standard
- Select session based deployment
- Select current server – Logged on as administrator of the domain
- Select from the list which server will be the session broker ( it is possible to add the web access to this server if required)
- Next
- Select from the list which server will be the web access server
- Next
- Select from the list which server will be the session host server
- Select restart automatically and click deploy
- Login to finish the deployment ( if the deployment fails, redo the install process and the install will complete)
- close
Install complete, Create a Collection
- On the Dashboard, Remote desktop services, scroll to the right.
- Note : Roles will now be spread across the three servers.
- Scroll right select Tasks,
- Create session collection
- Specify a name
- Select session host
- Specify ‘domain users;
- Option for user profile disk, tick
- Set limit of 1GB on user profile settings
- Select a share path for available
- Create (Note : RDS GPOs are need to be removed)
- Close
Publish Apps
- Session Broker Dash board
- Select collection
- Tasks
- Publish remote app
- Select app from available list
- Click publish
RD Licensing
- Install Licensing server on the Session broker
- Each server has two CALS for administrators
- License is required with in 120days
- Activate server
- Purchase CALs to match licensing mode
- Per device CAL or User CAL.
- For this demo install require “Per User CALL”– Note this accepts any connections without limits
- On the dash board
- Select Overview
- RD Licensing
- Select session broker
- Click Add
- Close
Licensing Activation
- Select tools
- Terminal Services
- Remote Desktop licensing manager
- Activate server
- Install licenses
Session Collection Properties
User Groups, Session Settings, Tasks edit properties
- Sessions
When sessions are connected.
- Disconnect – set to end disconnected session after 8hrs
- Connection time limit – Never
- Idle session set to 2hrs
Security
- RDP Encryption
- SSL (TLS1.0) – requires certificates
- Negotiate – Select this option (The most secure layer that is supported by the client will be used)
Session Level of encryption options
- Low 56-bit encryption client to server, server to client is not
- Client compatible – Default level. Encrypts traffic to the maximum strength support by the client. Client and server is encrypted
- High, 128-bit encryption. Client need to support this level of encryption or they will not connect.
- FIPS Compatible – FIPS encryption
- Select session collection properties
- Select Security tab
- Security Layer Set negotiate
- Set High session level
- Untick allow connections only from computers with network level authentication (as we still have XP clients)
- Load Balancing
- Require more than remote desktop session host.
- Edit the properties of the collection
- Add the additional Session host to the collection
- Client Setting
- Configure client Settings
- Specify redirection
- Untick Audio, smart cards, allow client printer redirection
- Tick clipboard
- User Profiles Disk
- Enable User Profile disk.
- Each user will get a dedicated single virtual disk. (.vhdx created when a user logs)
- .vhdx file is mounted underneath c:\Profile Disk\ GUID is the name of the users file name
- .vhdx can mounted manually
- Profile Disk Share
- Create a share location for profile disk
- Share name “Profile Disks”
- Right click , properties, select advanced sharing
- Set share permissions to All to Full
- NTFS permissions User, set to modify
- See Share details under prerequisites
- User Profile Disk
- Collection properties
- Select user profile disk
- Tick enable user profile disk
- Set location to the share name
- Set size limits
- Store only the following in the profile
- (other options available to set)
- Client RDS access
Client RDP
- Save RDP (Save a RDP client on all clients to point to the connection broker)
- Edit the current RDP collection by opening with Notepad
- Edit : Use redirection server name:1:0
- Change to : Use redirection server name:1:1
- Add lines at the bottom : (this is to use the session broker as a load balancer)
- loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.collection name
Login in to a Windows 7 client with the RDS icon configured
- Web Access
RDP Settings – default settings
Login in to a Windows 7 client with the RDS icon configured
https://domainame/RDWeb/