Mike Ratcliffe

About Mike Ratcliffe

Mike Ratcliffe is a hard working, self motivated system administrator who adapts quickly to new technology, concepts and environments. With over a decade of experience in information technology and having held numerous titles and responsibilities throughout his career, he currently focuses on system administration of Microsoft Active Directory and related technologies, Microsoft Exchange as well as VMware virtualization.

SonicWALL Hidden Features and Configuration Options


Earlier I stumbled across a hidden set of features and settings in a TZ215 by going to /diag.html and figured Id share this with everyone in case you were unaware of it as I was.  It appears to be available in all of the TZ series devices, the SOHO, and likely others.  On the main page you will see the following disclaimer.


Under Internal Settings there are quite a few settings and options.  Some more useful than others.  For me the option I needed was “Disable Port Scan Detection” under the Firewall section.  Below is a rough list of some of the options.  Keep in mind these options are undocumented, unsupported, and it is suggested to only make changes to these values if instructed by Dell Technical Support.  Enjoy!



Trace Log:

  • Trace Log: [Current \/]
  • [Download Trace Log]
  • [Clear Trace Log]

ARP Settings:

  • Enable ARP bridging
  • Enable open ARP behavior (WARNING: Insecure!!)
  • Enable Source IP Address validation for being directly connected
  • Only allow ARP entries with unicast addresses
  • Limit ARPS of non-responsive IPs
  • Bypass ARP processing on L2 bridge interfaces
  • Enable Gratuitous ARP Compatibility Mode
  • Never broadcast more than 100 Gratuitous ARPs in any 60 second period.
  • Periodically broadcast system ARPs every 60 minutes.
  • Ignore ARPs with primary-gateway’s MAC received on other interfaces
  • [Send System ARPs…]

Routing and Network Settings:

  • Flush flows on alternate path when normal route path is enabled (affects existing connections)
  • Update route version when route is enabled/disabled (affects existing connections)
  • Enable TCP packet option tagging
  • Fix/ignore malformed TCP headers
  • Enable TCP sequence number randomization
  • Perform SYN validation when not operating in strict TCP compliance mode
  • [Clear OSPF Process]
  • Clear DF (Don’t Fragment) Bit
  • Allow first fragment of size lesser than 68 bytes
  • Enable ICMP Redirect on DMZ zone
  • Disable learning-bridge filtering on L2 bridge interfaces
  • Never add static default routes to the NSM route database
  • Enable stack traffic sending by DP core

DHCP Settings:

  • Enable DHCP Server Network Pre-Discovery
  • DHCP Server Conflict Detect Period: 300 Seconds
  • Number of DHCP resources to discover: 10
  • Timeout for conflicted resource to be rechecked: 1800 Seconds
  • Timeout for available resource to be rechecked: 600 Seconds
  • [Save DHCP Leases To Flash]
  • Send DHCPNAK if the ‘requested IP address’ is on the wrong network
  • Time interval of DHCP lease database to be refreshed: 600 Seconds
  • Number of DHCP leases in database to be refreshed: 10
  • Aggressively recycle expired DHCP leases in advance

VoIP Settings:

  • Maximum ‘public’ VoIP Endpoints: 2048
  • H.323 Force Odd Media Control Port
  • Auto-add SIP endpoints
  • Transform SIP URIs to have an explicit port
  • Permit B2BUA to bind established calls together
  • SIP connection refresh interval (seconds): 40
  • Flush active media for SIP INVITEs without SDP
  • Flush unused media for SIP INVITEs without SDP
  • [Reset SIP Databases]

VPN Settings:

  • Do not adjust TCP MSS option for VPN traffic
  • Use interoperable IKE DH exchange
  • Fragment VPN packets after applying ESP
  • Use SPI/CPI parameter index for IPsec/IPcomp passthru connections
  • Accept Reserved ID Type in Quick Mode.
  • Trust Built-in CA certificates for IKE authentication and Local certificate import.
  • Enable Compatibility with Android 4.0 Client.
  • Encryption Settings:
  • Enable Hardware Encryption
  • Disable SSLv3
  • Disable TLSv1

DP stack Settings:

  • Enable DP stack processing

Firewall Settings:

  • FTP bounce attack protection
  • Allow orphan data connections
  • Allow TCP/UDP packet with source port being zero to pass through firewall
  • FTP protocol anomaly attack protection
  • IP Spoof checking
  • Disable Port Scan Detection
  • Trace connections to TCP port: 0
  • Include TCP data connections in traces
  • Enable Tracking Bandwidth Usage for default traffic
  • Enable to bandwidth manage WAN to WAN traffic
  • Decrease connection count immediately after TCP connection close
  • Protect against TCP State Manipulation DoS
  • Disable CSRF Token Validation
  • Disable Secure Session ID Cookie
  • [Flush Connections]
  • Deschedule Packet Count:
  • Refresh sub-domains of wildcard FQDN address objects

Security Services Settings:

  • Apply IPS Signatures Bidirectionally
  • Enable IP fragment reassembly in DPI
  • Extra dev debug info
  • Disable TCP expected sequence adjustment in DPI
  • Disable App-Firewall SMTP CHUNKING modification
  • Disable Gateway AV POP3 Auto Deletion
  • Disable Gateway AV POP3 UIDL Rewriting
  • Disable Gateway AV SMB read/write ordering enforcement
  • Log Virus URI.
  • Do not apply signatures containing file offset qualifiers
  • that trigger on TCP Streams with unidentified protocols.
  • Minimum HTTP header length (0 to disable): 0
  • Enable incremental updates to IDP, GAV and SPY signature databases.
  • Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service enabled.
  • 256 Set a limit on maximum allowed advertised TCP window with any DPI-based service enabled (KBytes).
  • Disable signature database reload.
  • 1500 Threshold above which size limits are enforced on Regex Automaton.
  • 3000 Maximum allowed size for Regex Automaton.
  • Limit IPS CFT scan.
  • Enforce Host Tag Search for CFS
  • [Reset AV Info]
  • [Reset Client CF Enforcement Info]
  • [Reset Client CF Enforcement Cache]
  • [Reset Licenses & Security Services Info]
  • [Reset HTTP Clientless Notification Cache]
  • [Reset Cloud AV Cache]

DPI-SSL settings:

  • Rewritten certificate SN modifier:
  • Client spoofed certificate caching:
  • Remove TCP timestamp option:
  • Drop SSL packets when memory low:
  • Allow SSL without proxy when connection limit exceeded:
  • Disable Endpoint TCP Window Setup:
  • Disable Server Facing Session Reuse:
  • Block connections to sites with untrusted certificates:
  • 512 Max stream offset to check for SSL client-hello resemblance:
  • TCP window multiplier (N * 64k):
  • Override max proxied SSL connections:
  • Disable SSLv3 client connections in DPI-SSL:
  • SSL Version:
  • Cipher Methods

High Availability Settings:

  • Enable Network Monitor probing on Idle unit
  • HA Failover when Packet Pool is Low on Active Unit
  • Suppress Alarm on HA Transition to Active
  • Always restart HA backup for watchdog task
  • Send gratuitous ARP to DMZ or LAN on transparent mode while HA failover
  • Maximum number of gratuitous ARP of transparent mode per interface while HA failover: 256
  • Maximum number of gratuitous ARP while HA failover: 1
  • Send Syslog messages from both HA units with unique serial numbers

PPPOE Settings:

  • Allow LCP requests to PPPOE Server
  • Log LCP Echo Requests and Replies between client and server
  • Enable PPPoE End-Of-List Tag
  • PPPOE Netmask:

Dial-Up Settings:

  • Display dialup status on console
  • PPPDU Max Configuration Failures: 9
  • [Restart Dial-Up Devices]
  • One-Touch Configuration Helpers
  • [DPI and Stateful Firewall Security]
  • Preview applicable changes
  • [Stateful Firewall Security]
  • Preview applicable changes

Management Settings:

  • Use Standby Management SA
  • Allow SGMS to preempt a logged in administrator
  • Prioritize the following selected traffic types below to be highest and above all other traffic types:

User Authentication Settings:

  • Post authentication user redirect URL: [ ]
  • Log an audit trail of all SSO attempts in the event log
  • (X) in the event log
  • ( ) in memory to download as ssoAuthLog.wri, max. buffer size: 64 KBytes.
  • – When buffer is full: (X) stop ( ) wrap. Download ssoAuthLog.wri Download and reset ssoAuthLog.wri
  • For user IP addreses: [All \/]
  • Include SSO polling Include SSO bypass Include additional non-initiation of SSO
  • Try to negotiate SSO agent protocol to version: 5 (default protocol version is 5)
  • [Logout All users]
  • Diagnostics Settings:
  • Disable SonicSetup/Setup tool Server
  • Trace message level: [Warning \/]
  • For diagnostic testing purposes, auto-restart system every 60 minutes.
  • Secured www.mysonicwall.com crash analysis

Watchdog Settings:

  • Do not restart for watchdog task
  • Restart quickly after an exception
  • Restart when packet pool is low

IPHelper Settings:

  • Enable no source port matching for replies from DHCP servers.
  • Disable Reverse Path check for Source IP.
  • Disable ingress egress check.

Wireless Settings:

  • Wireless Advanced Settings
  • Set Local Bit for Virtual Access Point BSSID MAC Address
  • Allow same Virtual Access Point groups to be used for dual radios
  • Supported SonicPoint Type: [All \/]
  • SonicPoint-N System Self Maintenance: [Weekly (3:00AM Every Sunday) \/]
  • Legacy SonicPoint A/B/G and SonicPoint-G Only Management Enforcement
  • [Update All SonicPoint’s Firmware]
  • SonicPoint KeepAlive Enforcement
  • SonicPoint Provisioning Protocol TCP Window Size: 1400
  • Use Default TCP Window Size For SonicPointN Provisioning Protocol
  • SonicPointN Provisioning Protocol TCP MSS Setting:
  • (X) Use Default Value.
  • ( ) Customized TCP MSS: 1460 bytes.
  • Prefer SonicPointN 2.4GHz Auto Channel Selection to be 1, 6 and 11 only
  • SonicPointN SSH Management Enable
  • Enable SonicPoint (N) IP address retaining
  • SonicPointN Logging Enable
  • Erase SonicPoint Crash Log generated by previous firmware image when SonicPoint image is updated
  • SonicPoint-Ni/Ne Noise Sensitivity Level: (The higher noise sensitivity level should be selected when RF environment is getting noiser) [Medium \/]
  • SonicPointN Reboot When Noise Safe Mode Detected
  • Use SNAP packet between SonicPoint / SonicPointN and Gateway
  • Send Need Fragment ICMP packet to SonicPoint / SonicPointN client
  • Enable intra-WLAN Zone communication for bonjour packet
  • WLAN DHCP lease / ARP delivery success rate enhancement
  • Wireless Guest Services Redirect Interval: 15 Seconds
  • Legacy WiFiSec Enforcement support
  • Do not apply WiFi security enforcement on reply traffic from WLAN to any other zone
  • Enable WLAN traffic DP core processing capability
  • Enable intra-WLAN Zone communication for broadcast packet
  • Enable local wireless zone traffic to bypass gateway firewalling

Tooltip Settings:

  • Enable tooltip with no descriptions

Preferences Conversion:

  • Preference Processor Server: convert.global.sonicwall.com
  • Site Relative Directory: /popup
  • Enable checking when importing settings

Anti-Spam Service:

  • Disable SYN Flood Protection for Anti-Spam-related connections
  • Use GRID IP reputation check only
  • Disable GRID IP reputation checking for Outbound SMTP connections
  • Do NOT disable custom user email policies when Anti-spam is enabled
  • Allow Limited Admin users to configure Anti-Spam Service.
  • Bypass SHLO Check when Junk Store is unavailable (while Email Security is operational).
  • Do NOT verify incoming SHLO
  • Marked as replay if incoming SHLO time stamp is more than: 3600 secs
  • [Clear Statistics]
  • [Reset GRID Name Cache]
  • [Delete Policies and Objects]
  • CASS Cloud Service Address: [Resolve Automatically \/]

Email System Detection:

  • Enable Email System Detection

TZ Default Port Assignment:

  • TZ Basic (LAN/WAN) Mode

Remote Assistance:

  • Enable Remote Assistance

SSLVPN Settings:

  • NetExtender(for Windows) Version: [ ]
  • Hide Remote EPC feature

WAN Acceleration Settings:

  • Enable checking of connection responses by remote WAN Acceleration device
  • Temporarily bypass TCP Acceleration for failed proxied connections (minutes): 15
  • Temporarily bypass TCP Acceleration for short-lived proxied connections (minutes): 60
  • Skip TCP Acceleration for stateful control channels (but accelerate data channels)
  • Enable Transparent CIFS acceleration
  • Enable WXA Web Cache Redirection
  • [Zero debug stats]
  • [Show debug stats]
  • [Open WXA Internal Settings Page]
  • [SSH to WXA appliance]

Backend Server Communication:

  • Prevent communication with DELL Backend servers
  • Server Connection Timeout (sec): 30

Log Settings:

  • Exempt unfiltered events from global, category-level and group-level changes
  • [Restore Unfiltered Event Settings]
  • Main Log Process Reschedule Interval: 100
  • Log Entries
  • SMTP Read Timeout (sec): 10

IPv6 Settings:

  • Enable enforcement of IPv6 Ready Logo requirement

ICMP Settings:

  • Enable enforcement of Dropping Unreachable ICMP packet
  • Enable enforcement of Dropping Time Exceed ICMP packet

Debug Option:

  • Disable Pkt Monitor Application Detection
By | 2017-01-24T09:51:07+00:00 March 10th, 2016|IT Services|

Veeam Backup and Replication: Configuring custom synthetic full backups schedule instead of just default Monday-Sunday

When backing up large VMs and keeping a high number of restore points with Forever Incremental it is important to have the occasional full backup to minimize the time it takes to restore data. For the sake of speed, Synthetic full backups are the obvious choice. Unfortunately the Veeam Backup and Replication UI only allows you to configure Synthetic full backups as often as once a day or as little as once a week.


For some, this may not present a problem, however if you are using Windows Deduplication and backing up large amounts of data, running Synthetic full backups once a week could result in a lot more data than Windows Deduplication can handle depending on resource availability.

As with most things, this can be solved using a PowerShell script.  Below is the PowerShell script I use to enable and disable synthetic full backups.  Ill step you through the script however if you prefer you can skip to the bottom for the complete script.

Because I am enabling and disabling Synthetic fulls, to avoid the need to have two different scripts (one to disable and one to enable), I create a parameter and use it in within a switch. Create a string based parameter in the start of the script like this. In this case the parameter is $option.




Next add the VeeamPSSnapIn.

Add-PsSnapIn VeeamPSSnapIn

Now configure the switch options. In this example, there are three switch options -enable (where we will enable the synthetic full backups), disable (where we will disable synthetic full backups), and default (which, if enable or disable are not specified, just lets you know nothing was changed and you need to specify an option when running the script).

switch ($option)


       enable {}

       disable {}

       default {}


To enable/disable synthetic full backups, I use Get-VBRJob and pipe that to Set-VBRJobAdvancedBackupOptions.

The TransformFullToSyntethic is the “Create synthetic full backups periodically” and the TransformIncrementsToSyntethic is the “Transform previous backup chains into rollbacks” options you will see in the UI. Everything else is pretty straight forward. In this example, synthetic full backups are set for Sunday.

enable {

Get-VBRJob -name “Your Backup Job” | Set-VBRJobAdvancedBackupOptions -Algorithm Incremental -TransformFullToSyntethic $True -TransformIncrementsToSyntethic $False -TransformToSyntethicDays “Sunday”


Another variation would be making the change on the remote Veeam Backup and Replication server…

enable {

invoke-command -computername YourComputer -scriptblock {Add-PsSnapIn VeeamPSSnapIn;Get-VBRJob -name “Your Backup Job” | Set-VBRJobAdvancedBackupOptions -Algorithm Incremental -TransformFullToSyntethic $True -TransformIncrementsToSyntethic $False -TransformToSyntethicDays “Sunday”}


Also if you want to chain multiple jobs in any of these switch options just use ; at the end of each.

enable {

Get-VBRJob -name “Your Backup Job” | Set-VBRJobAdvancedBackupOptions -Algorithm Incremental -TransformFullToSyntethic $True -TransformIncrementsToSyntethic $False -TransformToSyntethicDays “Sunday”;

invoke-command -computername YourComputer -scriptblock {Add-PsSnapIn VeeamPSSnapIn;Get-VBRJob -name “Your Backup Job” | Set-VBRJobAdvancedBackupOptions -Algorithm Incremental -TransformFullToSyntethic $True -TransformIncrementsToSyntethic $False -TransformToSyntethicDays “Monday”}


On a side note, the synthetic full backup will run at the first incremental schedule of the day so you may want to add an additional incremental time to your schedule to accommodate this.

Now repeat for the disable switch changing the TransformFullToSyntethic to $false and give the default switch option a message.

Once the script is built, schedule it based on your desired needs. Below is an example of how to schedule it using the Windows Task Scheduler.

Action: Start a program

Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Add Arguments: -ExecutionPolicy Bypass -command “& ‘c:\scripts\SyntheticFulls\EnableDisableSynthetic.ps1’ ‘enable'”

Start in: C:\Scripts\SyntheticFulls


The complete script:




Add-PsSnapIn VeeamPSSnapIn

switch ($option)


       enable {Get-VBRJob -name “Your Backup Job” | Set-VBRJobAdvancedBackupOptions -Algorithm Incremental -TransformFullToSyntethic $True -TransformIncrementsToSyntethic $False -TransformToSyntethicDays “Sunday”}

       disable {Get-VBRJob -name “Your Backup Job ” | Set-VBRJobAdvancedBackupOptions -Algorithm Incremental -TransformFullToSyntethic $False -TransformIncrementsToSyntethic $False -TransformToSyntethicDays “Sunday”}

       default {“Nothing was changed because no option was specified. Specify either -option enable or -option disable”}


Hope you found this information helpful.  I look forward to Veeam adding an option to do this in their UI in the future.

For more information about Veeam Backup and Replication visit https://www.veeam.com/vm-backup-recovery-replication-software.html

By | 2017-03-21T13:45:59+00:00 February 29th, 2016|IT Services|

Configuring a SonicWALL TZ-105 Network Security Appliance – Part 1

In today’s post I am going to walk you through configuring a SonicWALL TZ-105 Network Security Appliance. In part one I will be covering basic connectivity, configuring the LAN and WAN interfaces, setting port assignments, the DHCP Server, Access Rules, Service Objects, Log Automation, exporting your configuration, and upgrading the firmware. Future posts will include more advanced configurations such as L2TP VPN, SSL VPN, Wireless N (available on the TZ-105W), and 3G/4G fail over.

If you haven’t had the privilege of working with one of these devices yet, here is what is included with a standard TZ-105. SonicWALL TZ-105, 12v adapter, power cord, patch cable, and a Quick Start Guide. The Quick Start Guide gives you some brief information about how to connect the device, the default IP, registering the device on www.mysonicwall.com, and where to download the latest firmware. Surprisingly what is not included is the default username and password for the device (unless I am overlooking it somewhere).


Once you have the device unpacked, connect LAN port directly to a workstation and connect the power adapter.



From your workstation release/renew your IP and navigate to Login with the default username and password admin/password.


From the main System Status page, you should see a handful of warnings/actionable items (The password hasn’t been changed, you have not specified a DNS server address, Log messages cannot be sent, and Your Dell SonicWALL is not registered).  This is expected and you can ignore these for now.


The quickest way to get started with the initial configuration is to use the included Wizard. In the top right hand corner, select Wizards.


Select Setup Wizard and click next.


Set your new password and click next.


Set your time zone and click next.


Here we could start the initial configuration of 3G/4G if available. In this case, select None and click next.


Set the WAN Network Mode that matches your environment. In this case, I will be selecting Router-based Connections because I will be using a static IP provided by my ISP.


Enter your WAN IP address, subnet mask, gatway and DNS servers. The bottom two items are optional however, for security reasons, I highly recommend that you do NOT enable “Allow HTTPS on the WAN interface”.


Set the LAN IP and subnet mask and click next.


In my case, I don’t need the SonicWALL to act as a DHCP server. Uncheck Enable and click Next.


For port assignment, select what best suites your environment and click next. I typically use the Default WAN/LAN Switch.


The next screen is a summary of the configuration. Review and click Apply.


Click Close.


At this point, unless you kept the subnet, you will need to release/renew the IP on your workstation again (if you left DHCP enabled) or set a static IP in the new subnet.  From your browser, navigate to the new IP and login using the new password.

The initial configuration of your device is complete. If you need to review or make adjustments to these setting individually you can find them in the locations below.

Change Password: System>Administration

Change Time Zone: System>Time

3G/4G Configuration: 3G/4G/Modem>Settings

LAN/WAN Interfaces: Network>Interfaces

Port Assignments: Network>PortShield Groups

Firewall Configuration (Address Objects, Services, Service Groups, NAT Policies and Access Rules):

Now that the initial configuration is complete, let’s move to configuring the Firewall. Again, the quickest way to get started is to use the included Wizard.

Select Wizards in the top right hand corner.

Select Public Server Wizard and click next.


In my case, I need to allow inbound TCP traffic for SMTP, POP3, HTTP, HTTPS, and PPTP. Because the Wizard is somewhat limited as to what you can specify, I’ll just select Mail Server SMTP and POP3 for now and ill add the remaining services to the Service Object that the Wizard creates. Click Next.


Specify the name of the server (this is just for reference purposes) and specify the internal IP.  Click Next.


On the summary screen, review and note the Server Address Objects, Service Group Objects, NAT Policies, and Access Rules that are being created. Click Apply.


Click Close.


Next we need to add the remaining services (HTTP, HTTPS, and PPTP) to the newly created Service Object. In the left hand navigation, Expand Firewall and select Service Objects. Scroll down until you see the Service Group that was created by the wizard and click the Edit button beside that object.


Locate the remaining services and move them to the right hand side. Click OK.


ScreenShot019_2-300x194 ScreenShot020_2-300x234

For quick reference, you can hover over the service object to see the service properties which will list the services, protocol and ports assigned to that service object.


SonicWALLs tend to be pretty good about the preexisting services you have to select from; most of the common services are already created however in some cases you may need to create a service if it is not available in the list. To create a service, navigate to Service Objects. Within Services, click Add.


3 (1) 4

Specify a name for the service for reference and enter the protocol and port range. Click Add. The newly created service will now be available to add to a Service Group.


Configuring Log and Alert Automation:

From the left hand Navigation, select Log and then select Automation.


From the Automation screen you can configure your mail server and where to send Logs and/or Alerts. In my case, I am only going to enable Alerts to Email.


Upgrading SonicWALL Firmware:

You can obtain the latest firmware from your http://www.mysonicwall.com portal. The firmware file will have a .sig extension. To upgrade the firmware navigate to System and then click Settings.


Click Create Backup Settings. You will notice a third line item named “Current Firmware with Backup Settings” will appear.


Next, click Upload New Firmware. Browse to the .sig file and click OK. Click Upload.


If the firmware uploaded successfully, you should now see “Uploaded Firmware with Backup Settings – NEW!”.


On the “Uploaded Firmware with Backup Settings – NEW!” row, click Boot. Review the pop up box and click OK.


The firmware will take a few minutes to install. Once installed you can confirm the update was successful by noting the Current Firmware version in the Firmware Management section.


Configuration Import/Export:

In the left hand navigation, select System and then Settings. From here you can export your current settings. I highly recommend exporting setting before and after any significant change to the device after it is in production. From the same location, you can import existing configurations.


Well there you have it. Pretty straight forward configuration once you become familiar with SonicWALLs layout and terminology. For more information about SonicWALL please visit http://www.sonicwall.com/us/en/ and/or http://www.mysonicwall.com



By | 2017-03-21T13:47:58+00:00 May 21st, 2015|IT Services|

Who deleted my files?

When important files and folders turn up missing, in addition to restoring the data, typically users want to know what happened to them.  Very often files and folder can be found in a surrounding folders due to an accidental drag and drop however in other cases someone actually deleted their files and folders. When this happens the owner probably wants to know “WHO DID IT?”

Unfortunately, in a Windows Server environment, file auditing is not turned on by default. Therefor when faced with a request to identify who deleted the data, you are left with no other choice but to say the dreaded phrase that no system administrator ever wants to utter “I don’t know…” That is not something your users and especially not your business owners ever want to hear.

That said, be proactive and enable auditing. It’s pretty quick and simple and I will go through this using traditional auditing methods (rather than the advanced auditing policy configuration which I may cover in a future post). Here is what you will need to do.

First we need to enable auditing of files and folders on the server. I recommend doing this in a GPO for consistency and visibility however for non-domain servers this can be done via the local policy (secpol.msc).

Locate a GPO that is linked to an OU your server is in or create a new GPO and link. In our case, we want to audit the file system on our domain controllers so I am using the “Default Domain Controllers Policy”.

Navigate to Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Audit Policy and enable “Audit object access – Success”.

Note: In the Local Security Policy it can be found in Security Settings>Local Policies>Audit Policy


Run a gpupdate /force on the server once the policy has been configured.

Next, identify the files/folders you would like to audit. In this case we are going to enable auditing on the entire E drive of our DCs. From a Windows Explorer window, go to Properties of the file, folder or drive and select Security>Advanced>Auditing and click Edit.

From the Auditing tab, click add and enter the users or groups you want to audit. In our case, we want to audit ‘Everyone’. Once you click OK you will be prompted to select what you would like to audit. In this case, we are only going to audit ‘Delete subfolders and files’ and ‘Delete’ and, since we are only concerned if someone successfully deletes a file or folder, we only need to place checks in the Successful column of the two items.


Because you are changing the security, if applying this on a folder or drive, once your click OK it will run through all of the files and folders setting the security information. Depending on the size of your folders or drives this could take a considerable amount of time.


Once completed you should expect to see events 4663 and 4660 in 2008 and above (560 and 564 in legacy systems i believe) in the Security of the Windows Logs when files and folders are deleted on the audited folder or drive. Below are a couple examples.



Also note, depending on how often files/folders are deleted, this could result in an extended amount of logging. Unless absolutely necessary, strongly consider minimizing which users and which folders are being audited instead of using ‘Everyone’ on an entire drive as we have done in this example.

Also, since this will add additional entries in your Security log, I suggest reviewing the Maximum log size and increasing as necessary. Go to Properties of the Security log to increase the maximum log size.



That’s it. For more information regarding group policy and/or auditing see Microsoft TechNet. Happy Auditing!




By | 2017-01-24T09:55:50+00:00 October 1st, 2014|IT Services|

Creating Self-Signed/Internal CA Certificates for Exchange 2007/2010

As an MSP who implements and administers Microsoft Exchange environments for an abundance of clients, I find myself doing certificate related tasks quiet often.  In most cases Exchange certificates are handled via a third-party certificate authorities however I recently had the need to generate a self-signed/internal CA Exchange certificate and figured I would write a quick post regarding the process.  In the following examples I’ll use the domain contoso.com.

First, from Exchange Management Shell, we need to generate the request using the cmdlet New-ExchangeCertificate.  Use ‘Get-Help New-ExchangeCertificate -full’ for additional parameters and syntax.

New-ExchangeCertificate -subjectName “CN=contoso.com” -DomainName contoso.com -GenerateRequest:$True -Keysize 2048 -path c:\temp\contoso.req -privatekeyExportable:$true

Next we need to convert the certificate request to a certificate.  To do this we can use certreq.exe.

certreq.exe -submit -attrib “CertificateTemplate:WebServer” c:\temp\contoso.req

You will be prompted to select your local/domain CA and save the certificate.  Creating/configuring a CA is out of the scope of this article. See Microsoft TechNet regarding creating/configuring a CA.

Once the certificate has been created, open your local computer Personal Certificates store and import the certificate.  This is done via MMC Certificates Snap-In.


Next we need to acquire the certificates thumbprint.  This can be done using the cmdlet Get-ExchangeCertificate.



Lastly, you need to enable the certificate for the desired Exchange services using the cmdlet Enable-ExchangeCertificate.  In this example, I am only enabling it for SMTP and IIS.

Enable-ExchangeCertificate -Thumbprint <enter thumbprint here> -Services “SMTP, IIS”

Also, once the certificate expires, you can renew it using the following.

Get-ExchangeCertificate –Thumbprint <thumbprint> | New-ExchangeCertificate

It is that simple.  Be sure to view ‘get-help <command>’ and/or Microsoft TechNet for additional information on any of these commands.

By | 2017-01-24T09:54:31+00:00 September 29th, 2014|IT Services|

Why are changes to my applicaionHost.config not showing up in IIS?

For large or repetitive tasks in IIS (migrating sites, adding additional site bindings, etc.), modifying the applicaionHost.config can prove to be much simpler and efficient than using IIS Manager .  However one of the things I often hear from web administrators is “why are the changes I have made in the applicationHost.config not showing up in IIS”.  Though there could be multiple reasons for this, the most common reason is using a 32 bit editor to modify the applicationHost.confg on a 64 bit OS.  That’s right, if you use a 32 bit editor such as Notepad++ to edit your applicationHost.config in ‘C:\Windows\System32\inetsrv\config’ directory, you are actually opening/saving the applicationHost.confg in ‘C:\Windows\SysWOW64\inetsrv\Config’ regardless of what the title bar or save path may suggest in your editor.  This can lead to a lot of unnecessary confusion and troubleshooting if you don’t understand the fundamental concept of what is actually going on here.

Don’t believe?  Give it a try…

On a 64 bit server with IIS, browse to ‘C:\Windows\System32\inetsrv\config’ and open applicationHost.config using a 32 bit editor such as Notepad++.

Add some text to the comment section of the file and save.


Close Notepad++ and open the same file with a 64bit editor such as Windows Notepad.

Notice your change isn’t there.



Now browse to ‘C:\Windows\SysWOW64\inetsrv\Config’ and open applicationHost.config with Windows Notepad.  Notice your change was saved in this file.




In summary, when editing your applicationHost.config in a 64 bit OS, always be sure to use a 64 bit editor.

By | 2017-01-24T09:54:18+00:00 June 13th, 2014|IT Services|

PowerShell: Bulk administration using CSV imports

In today’s post I am going to discuss a very flexible yet simple technique I use to accomplish bulk administration tasks in PowerShell using the import-csv and the ForEach-Object cmdlets.  In today’s example we will be looking at bulk imports of Mail Contacts (New-MailContact) in Exchange.  The task itself could be anything however the concept here remains the same.

The first thing we need to determine is which parameters are required for the New-MailContact cmdlet.  To do this use Get-Help New-MailContact.  From the results we see that -ExternalEmailAddress and -Name are required parameters.  At a minimum our csv needs to include data for these two fields.


Next build the CSV.  I typically name the headers to match the parameter names I plan to use during the import.  This simplifies the syntax later however matching the header names to the parameter names is not a requirement.


In this example Ill save the file as c:\users.csv.  If creating the CSV in Excel be sure to change Save as type to CSV (Comma delimited).


Next, verify your CSV imports successfully by running import-csv c:\users.csv. If any errors are found in your csv, resolve them before moving forward.


Next pipe the results of import-csv to ForEach-Object and specify the action to take for each object within {}.  In this case, import-csv C:\users.csv | ForEach-Object {New-MailContact}. Now, at a minimum, add the required parameters as part of New-MailContact and specify the values found in the CSV by using $_. followed by the the column header name (-Name $_.FirstName).  The final syntax should look something like this.

import-csv “C:\users.csv” | ForEach-Object {New-MailContact -name $_.FirstName –FirstName $_.FirstName –LastName $_.LastName -ExternalEmailAddress $_.ExternalAddress -OrganizationalUnit $_.OrganizationalUnit -Displayname $_.FirstName}


That is it!  A very simple yet versatile way to complete bulk administration tasks in almost any environment using Import-CSV coupled with ForEach-Object.

By | 2017-01-24T09:53:53+00:00 April 7th, 2014|IT Services|