Windows

It always happens on a Sunday.

Whilst working on a rollout on the outskirts of Rio, I discovered that the ?/ᴏ key was not working on the laptops I was deploying.

Keyboard

The machine did not have an OEM installation of Windows 7, but a customised image with the Brazilian MUI installed.

To resolve I had to add this registry key and reboot.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
“Scancode Map”=hex:00,00,00,00,00,00,00,00,02,00,00,00,73,00,1d,e0,00,00,00,00

This issue occurs with ABNT and ABNT2 keyboards.

 

Microsoft have stated for numerous years that anyone with Kerberos authentication issues often due to users being in multiple groups and commonly known as Token Bloat should increase the MaxTokenSize to 65535 bytes.

Whilst reading Understand and Troubleshoot Dynamic Access Control in Windows Server 2012 guide, I read that

“Previous versions of Windows had a default maximize token size of 12k.  However, this value remained too low for many environments and required reconfiguring each computer in the enterprise.  Windows Server 2012 and Windows 8 increase the default maximum token size to 48k.  This new value is the maximum viable size for SSPI tokens in Windows and may require additional settings changes for applications to support. For example, HTTP settings are required for SSPI tokens over 12K.”

But this article How to use Group Policy to add the MaxTokenSize registry entry to multiple computers also stated the 48K maximum and with a similar reasoning.

“The maximum allowed value of MaxTokenSize is 65535 bytes. However, because of HTTP’s base64 encoding of authentication context tokens, we do not recommend that you set the maxTokenSize registry entry to a value larger than 48000 bytes. Starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes”.

This lead me to do a little further research as Microsoft stated in the article Active Directory Maximum Limits – Scalability that the “maximum recommended size for a Kerberos ticket is 65,535 bytes”

image

Getting nowhere fast, I had an email exchange with the Active Directory Documentation team, it was confirmed that this value should now be set to 48K

The Active Directory Maximum Limits – Scalability website should be updated soon (approx. 09/05/2013) to confirm this.

The question now to ask though is – I have set the MaxTokenSIze to 65535 bytes, should I now change it to 48000 bytes?

So I asked the question:-

“What happens to people who have set the key to 65535? Should they test and change it to 48000 now?  Will Windows Server 2012 break? Will things fail as a result of having it set to the maximum?”

The response:-

Kerberos itself doesn’t really understand the concept of a token size because what it transports is opaque to the protocol. 

Applications, however, are different and can implement their own constraints such as buffer size.  Applications ask SSPI (Kerberos) for the size of the authorization buffer of the authenticating user.  If the size reported back is greater than the buffer allocated by the application, authentication fails.  The size reported back is the actual size not the maximum size.  Therefore, with MaxToken set to 65k and authorization data amounting to 12k; Windows will only report back 12k.  MaxTokenSize simply limits the maximum value the SSPI can return to an application.  Prior to Windows 8/2012 , most environments would set MaxTokenSize to the maximum because it was nearly impossible to determine a user’s true token size.  Therefore, if you set it to the max, and still had an authentication problem it was not because of MaxTokenSize ( at which point engineers would instruct customers to return the setting to the prior value).

With MaxTokenSize defaulting to the max Authentication buffer size for IIS; there shouldn’t be a authentication  problem resulting from token size.  Http caps out at 48k.  Making it higher won’t fix the authentication issue. So it there is no gain people nothing by increasing it.

While the setting in the documentation should mostly be harmless; we should suggest 48k as the ideal setting for MaxTokenSize and point to the Group Policy setting in Windows Server 2012/Windows 8 as the means which to modify it.

http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx

and now we know.

Today I was presented with a Windows 7 Home Premium laptop, that until a couple of days ago had sound and LAN connectivity.

The sound worked when diagnostics were run, but would not run when Windows 7 was loaded. So I knew it was not defective hardware.

The solution which was relatively easy to implement took a while to discover and I will update this post at a later date with the troubleshooting steps.

The solution was to add to the local administrators group the networkservice and the localservice

This can be done by running these two commands from an elevated command prompt:

net localgroup Administrators /add networkservice

net localgroup Administrators /add localservice

Once these two commands are run, restart the laptop and if your issue was the same as mine, sound (and LAN) should now be working.

 

If you are looking to understand what the security policies in Windows 7 and 2008 R2 mean and how they can impact your environment, then this guide is a must read.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

The document is covers the following categories in some depth:

Account Policies

This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

Advanced Security Audit Policy

This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

User Rights

This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

Security Options

This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behaviour, and logon prompts.

Event Log

This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

System Services

Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

Software Restriction Policies

This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Application Control Policies

This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

External Storage Devices

This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

Additional Resources

This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

MSW_Tour_AllupBanner

May 2 – Toronto | May 4 – Detroit | May 6 – Chicago | May 9 – Indianapolis | May 11 – Dallas | May 13 – Columbus

The Springboard Series Tour is back! This 6 city tour brings the top product teams from Microsoft to you. We understand the questions and issues that IT pros deal with every day. How do I manage end users bringing consumer devices into the office? Should we look to the cloud for key solutions? Should I virtualize? What are the best tools to manage application compatibility and deployment? The Springboard Series Tour brings the experts and the answers.

Join us for a full day’s deep dive into the tools, solutions and options to help you do more with less. We will cover managing the flexible workspace, a first look at Windows Intune and Office 365. We’ll also show you some of the new Windows Slates and give you details around Microsoft’s strategy for Slate devices. We will preview  the new tools in the MDOP 2011 suite, a deep dive into managing and deploying Office 2010 and great tips and tricks to help you deploy Windows 7 and move your users from Windows XP with speed and ease.

REGISTER NOW and save your seat for this free day of technical demos, Q&A sessions, and real-world guidance from Microsoft experts.

After installing Service Pack 1 on Windows 7 or Windows Server 2008 R2, by default you have the ability to uninstall the Service Pack and rollback to the previous state. If you are confident that you do not need to rollback the service pack at a later date. The installation can be made final by running DISM /online /cleanup-Image /spsuperseded on average this has reclaimed for me over 2GB per server, not that much space these days but if you have for some reason VM’s running like this, these 2GB’s can add up to a lot of space.

Microsoft have released the Remote Server Administration Tools (RSAT) for Windows 7 with Service Pack 1 (SP1):

Remote Server Administration Tools for Windows® 7 with SP1 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server® 2008 R2, Windows Server® 2008, or Windows Server® 2003, from a remote computer that is running Windows 7 or Windows 7 with SP1.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

Note that it is important to remove all versions of Administration Tools Pack or Remote Server Administration Tools from the computer before installing Remote Server Administration Tools for Windows 7 with SP1.