Oracle VirtualBox – Configure Guest-VM network to communicate with Host network

by on September 18, 2020 at 11:59
Posted In: IT Blog

This is going to focus on configuring an Oracle Virtualbox VM to do a few things:
-make it so the host, and local host network can see, ping, remote and use fileshares to the Oracle Box guest VM
-Enable the Oracle box VM to still use it’s own built in DHCP (in case you have your own domain)

*I take no liabilities in configuring any of this, I had to figure this all out with trial and error!

The Setup

Host: Ubuntu 18.04 “Bionic Beaver” release
Software: Oracle VirtualBox (version 5.2.42-dfsg-0-ubuntu 1.18.04.1)
VM: Microsoft Server 2016 Domain Controller

For the purpose of this entry, I’m skipping over the creation of a VM, domain configuration and DHCP. All that’s configured within the Guest-VM Operating System. I won’t go into that, but what I will provide is a problem, and solution.

Problem
How can we get a already existing VM running MS domain services, to use it’s already pre-configured DHCP Scope, and yet allow it to talk with the rest of the host network?

Solution (short explanation):
Create a second network adapter in ‘bridged mode’, keep the primary network adapter in ‘NAT’ mode. Configure firewall rules on the Guest-OS to allow access.

Solution (long, and drawn out):
To preface this problem, I had a pre-existing domain controller with it’s own DHCP server. DHCP itself was handing out a 10.0.150.1/24 series of IP’s.

My VM Host however is on my home network, we’ll say that’s a 10.0.0.1/24 network. So how do we configure our VM to have access to our home resources?

First, turn off your VM.

1.Create a second Network adapter! From VirtualBox Manager goto Settings…

Orade VM Virtu•IBox M •na%r New Settings DC01 Running Show >ettings...<br /> Clone.<br /> denove„<br /> Show<br /> Eause<br /> Machine Tools<br /> Global Tools<br /> Ctrl•S<br /> ctrl-o<br /> lists all virtual machines and virtual<br /> mputer.<br /> represents a set Of tools Which<br /> n be opened) for the currently<br /> Of currently available tools check the<br /> right side Of the main tool bar<br /> indow. This list Will be extended With

2.Goto Network.

For this VM, I put in a NAT network. There’s dozens of different ways to do this, but for this example, I created a NAT with a specific scope to isolate my domain for testing purposes. Here’s the Oracle VirtualBox documentation.

DOI settings Network Adapter 1 Adapter 2 @ gnable Network (2 General System Dtsplay Storage Audio Network Serial Ports Shared Folders user Interface Attached to: Name: v Advanced Promiscuous Mode: MAC Address: NAT Network VNATOI 100150.0/24 Deny @ Cable Connected Port rorwaldirg

3.Create a New Network Adapter. Configure as ‘Bridged Adapter‘. In layman’s terms, a Bridged Adapter just means it’s using the physical connection from your host, and the VM is filtering data from the host.

General System Dtsplay Storage Audio Netvvork Serial Ports (2 Shared Folders user Interface DOI settings Network Adapter 1 Adapter @ gnable Network Attached to: Name: v Advanced Promiscuous Mode: Address. Bridged Adapter enp0s25 MT Oes«oø Deny @ Cable Connected Port rorwaldirg

4.From the Guest-VM, configure the networking to the same as the Host. You will need a static address from your DHCP – likely your home router or otherwise.

Internet Protocol Version 4 (TCP/IPv4) Properties Guest VM properties You can get [P settngs assigned automatcally if pur neb,Nork supguyrts this capability. Otherwise, you need to ask your neb,Nork administrator for the appropriate [P settngs. C) Obtain an [P address automabcally Example IP config • use the following [P address: [P addr ass: Subnet mask: Default gateway: 101 255 255 255 Obtain DNS server address automatcally • use the following DNS server addresses: Preferred DNS server: Alternate DNS server: [3 Validate settings upon exit

5.Configure the Guest-VM firewall rules to allow traffic from that specific subnet.

  • Goto Firewall settings (depending on your flavor of VM, this is a Windows VM so your mileage may differ), advanced settings -> Inbound rules.
  • Scope (local IP addresses): the IP of your Guest-VM
  • Scope (remote IP addresses): the IP, or range of your management workstations on your Host subnet

allow all 10.0.0.1/24 traffic Properties Programs and Services Remote Computers Protocols and Ports Scope Advanced local Principals Remote users Local IP address C) Any IP address VM-Guest Sample Rules @ These I P addresses 1000101 Ram ove Remote IP address @ Any IP address O These IP addresses

  • Protocols and Ports: I set mine to ANY. It’s up to you what you want to expose from your Guest-VM to your Host.

allow all 10.0.0.1/24 traffic Properties Programs and Services Remote Computers Protocols and Ports Scope Advanced local Principals Remote Protocols and ports Protocol type Protocol number local port Remote port VM-Guest Sample Rules Example 80. 443. Example 80. 443. 5000-5010 Intemet Control Message Protocol (ICM P) settings Customize ..

Programs and Services: ALL. Again, it’s up to you what you want to expose.

allow all 10.0.0.1/24 traffic Properties Protocols and Ports Scope Advanced local Principals Remote Ll sem Programs and Services Remote Computers Guest-VM Sample Rules @ All meet the specified conditions C) This program Application P ackages Specify tha application packages to which this rule applies Specify the services to which this rule applies

6.Now Test the configuration from your Host or a management computer on the same Host subnet:

test-netconnection -ComputerName 10.0.0.101 -Port 3389 -InformationLevel Detailed

 

(you can use ping test too, but I like to see the specific port)

ComputerName . 10.0.0.101 RemoteAddress . 10.0.0.101 Remoteport . 3389 . 10.0.0.101 Matchi I es Networklsol ationcontext : Internet IsAdmi n False InterfaceAI as Sour ceAddress . 10.0.0.36 NetRoute (NextHop) . o.o.o.o TcpTestSucceeded . True

Success! Connection to the RDP port 3389 works!

Now you can remote desktop to your VirtualBox Guest-VM from within your network. Also means you can continue deploying VM’s to that Virtual Domain Controller’s DHCP. Hope this helps the next person.

└ Tags: , , , , ,
 Comment 

GPO enable VSS in Win 7

by on June 5, 2014 at 12:38
Posted In: IT Blog

GPO VSS 1

Volume Shadow copy has saved my butt on file, exchange, and SQL servers.  Typically, IT departments discourage previous versions on desktops mainly because it opens up issues with disk space and if it’s really worth saving or rescuing an MP3 or AVI.

Of course, if you have the space on your client machines to do it, you can enable VSS and grant users the chance to recover files right from their own desktop machines.

First, create a new GPO and give a give it an appropriate name.
1. Enable the Volume Shadow Copy Service (VSS):

Computer Configuration->Windows Settings->Security Settings->System Services->Volume Shadow Copy and set to Automatic.

GPO VSS 3

2. Now give your users the ability to restore the files on their local PC’s:
User Configuration->Policies->Administrative Templates->Windows Components->Windows Explorer->Previous Versions->

Prevent restoring previous versions from backups  – disabled
Prevent restoring local previous versions – disabled

See the Previous Versions setting

See the Previous Versions setting

└ Tags: , , , ,

GPO add corporate picture to your AD logon account

by on June 4, 2014 at 12:09
Posted In: IT Blog

Win 7 default picture

The default windows logon picture, while very stock is a bit boring. If you’re in the corporate environment where a more suitable logon picture is preferred, here are your steps to adding a default picture to all user’s profiles.

First, pick a picture and make your edits to make it EXACTLY 128 x 128 pixels (you can use the picture in this post as a guide). Make your edits accordingly and make sure to save it with a .BMP extension.

Create a new GPO, name it ‘Default Win7 logon picture’. Goto
User Configuration -> Preferences -> Windows Settings -> Files and create a new file

Preferences->Windows Settings->Files->New” width=”280″ height=”390″> Create a new file in User Configuration->Preferences->Windows Settings->Files->New

Set Action to Replace
For Source file, place your newly created .BMP in the GPO unique ID path: (you can find it by going to the details tab of the newly created group policy)

note your unique ID here

The resulting path in the source file should look like:
\\domain\SYSVOL\domain\Policies\{really-long-unique-gpo-identifier}\User\Preferences\Files\User.BMP

For Destination File, enter:
C:\ProgramData\Microsoft\User Account Pictures\user.bmp
(to change the local windows 7 .BMP picture)

It should look like the above, be sure to be wary of the direction of your slashes "\"

It should look like the above, be sure to be wary of the direction of your slashes “\”

Lastly, apply the GPO to the proper User OU and make sure to do a Gpupdate /force.

*Alternatively, you can place your .BMP in a separate share on your network, ideally a DFS model will do as a general share requires full permissions.  The size of this particular .BMP was only 100KB, so Active Directory replication will be minimal.

└ Tags: , , ,

Disable .exe’s from running inside any user %appdata% directory – GPO

by on June 1, 2014 at 22:00
Posted In: IT Blog

The Cryptolocker virus out there in the wild and I’ve seen it happen on a few computers and it’s certainly not pretty. The details are sorrid, but in a nutshell what happens is a crytolocker virus gets onto your computer, locks all your pertinent files and demands a ransom amount so you can get your files back. Those who pay the ones delivering the virus will become more bold and will start demanding more money.

What can you do to protect your company?
Create some Group Policies to lock down likely places for Malware / Spyware / Grayware / Cryptodefense and other likely .exe programs from running:

– Open up Group Policy and create new GPO
– Title this policy Disable .exe from %appdata% and click OK
– Right click on this policy and select Edit
– Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
– Right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
– Right click on Additional Rules and click on ‘New Path rule’ and then enter the following
information and then click OK

Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData (Win 7)

Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData subfolders (Win 7)

Path: %localAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Prevent unarchived executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Prevent 7zipped executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Prevent Rar executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Prevent Winzip executables in email attachments from running in the user space (Win 7)

The following paths are for Windows XP machines (if you still have them; I put these in just in case with the same disallow security settings)
%AppData%\*.exe
%AppData%*\*\*.exe

Create your new path rules as seen above

Create your new path rules as seen above

GPO Selections

Your final selections should look like the above. Make sure to apply the GPO to the proper OU once done.

 

 

*Update Feb 02, 2016*

I spent some time on a conference call with some Malwarebytes reps, I’ve been test driving a beta version that’s now available to the public.

Introducing Malwarebytes Anti-Ransomware

As I understand, the good folks at MalwareBytes will be conglomerating all their products: Anti-Malware, Anti-Ransomware, Anti-Malware, and Anti-Exploit into one nice big runtime. (date not yet announced).

 

└ Tags: , , , , ,

Editing Office 2013 installs via Group Policy

by on March 12, 2014 at 16:20
Posted In: IT Blog

MS GPO

 

 

With the new Office getting pushed out, I was running into problems with PST files, namely I didn’t want them in my environment cluttering things up and causing a ruckus on local computers. After a bit of research I found a way to use Group Policy to change this, and multitude of different options within the MS Office Suite.

First, you’ll need the MS Office 2013 administrative template (you are given a choice between 32bit and 64bit.  Do keep in mind that as of this writing, Adobe Reader hasn’t gotten around to creating a 64bit reader plugin, so I’m sticking with 32bit installs).

Once downloaded, extract somewhere and copy the *.admx files and EN-US directory to:

%SYSVOL%/domain/Policies/PolicyDefinitions
Otherwise you can go into

\\DOMAIN\SYSVOL\DOMAIN\Policies\PolicyDefinitions
I didn’t actually have a PolicyDefinitions directory so I manually created one and raised my domain functional level up to 2008 due to one pesky 2003 server in the environment that’s since been phased out.

 

Copy these files to your \\Sysvol\ directory where the rest of the domain policies exist

Copy these files to your \\Sysvol\ directory where the rest of the domain policies exist

 

once done copying, goto your Group Policy and create a new object (something relevant to your office suite) and take a look under 
User Configuration -> Administrative Templates:
MS Office 2013 GPO Admin Template expanded
You now have a large grouping of new Office objects you can manipulate.
Create a new Group Policy (name it something relevant) and look at the Administrative Templates.
The settings I was looking for were:
User Configuration->Policies->Administrative Templates: Policy definition->MS Outlook 2013->Miscellaneous->PST Settings
MS Office 2013 GPO-PST settings
Now you can add all PST files to the network instead of bogging down a local PC as potential pain point in case of a local computer crash.
Otherwise, you can take PST’s right out of the picture by Disabling the AutoArchive Settings:
User Configuration->Policies->Administrative Templates: Policy definition->MS Outlook 2013->Outlook Options->Other->AutoArchive
MS Office 2013 GPO-disable AutoArchive
Lastly, apply to the proper OU’s and do a GPUpdate /force on the domain controller and the client machine.
These screencaps were done within a Server 2008 R2 environment with a fresh deployment of Office 2013 Professional.  The same steps can be applied for Office 2007, and Office 2010.
 Comment