Scheduling a Backup in Windows Server 2008 using WBADMIN

The Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server 2008 operating system and offers significant improvements over its predecessor. Windows Server Backup introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the Windows operating system.

One or two people have asked recently how to schedule a backup using the Windows Server Backup feature in Windows Server 2008. This is certainly a legitimate question as the GUI tools provides little or no flexibility is choosing which volumes to backup and to where. As such we need to look to the command line for WBADMIN

In order to schedule the task you will either need a dedicated hard disk and it’s drive letter or a UNC path to a share.

The following command will backup drives H, I and Z to a share called weekly backup on server1.

wbadmin start backup -backupTarget:\\server1\weeklybackup -include:H:,I:,Z:: -quiet

The command can be broken down in to 4 parts:

Wbadmin start backup

Runs a one-time backup. If used with no parameters, uses the settings from the daily backup schedule.

backupTarget

Specifies the destination to which the backups will be stored.

-include

This switch allows you to specify which volumes you would like to backup.

-quiet

Supresses any prompts to the user allowing you to run the command unattended as a the task.

Important:

If you save a backup to a remote shared folder, that backup will be overwritten if you use the same folder to back up the same computer again. In addition, if the backup operation fails, you may end up with no backup because the older backup will be overwritten, but the newer backup will not be usable. You can avoid this by creating subfolders in the remote shared folder to organize your backups. If you do this, the subfolders will need twice the space as the parent folder.

Generate a list of Windows startup programs using the command line

One of the first ports of call (at least for me) when troubleshooting performance issues on standalone PC’s is to have a look at the start-up programs using ‘msconfig.exe.’ While msconfig.exe is fine for IT Pros it’s not the most friendly of things for the average end user.

I was recently helping out a friend over IM and explaining the concepts and working out which entries to remove was taking a long time. I did some research and found this handy command.

wmic startup get caption,command,description > outputfile

Simply get the person at the other end to run this command and then they can send you the full list for you to inspect.

Wednesday: Server Core and Group Policy

I’ve been to two sessions this morning. One on Group Policy where I picked up some excellent tips on debugging and tracking GP’s and an excellent presentation on Server 2008 Core by Mark Minasi.

I will definitely be writing a lot more about Server Core and the GP information I learnt today but one of his very useful tips that applies to other systems was this command:

wmic qfe list > outputfile.txt

This outputs a list of all patches applied on the computer as well as the support URL’s, install date and other information.

Tuesday I: Security Enhancements in Windows 7/Server 2008 R2: Bitlocker & Applocker

I’ve just attended a Windows 7 Roadmap session and some of the enhanced security features of Windows 7 and Server 2008 R2 were demonstrated.

Bitlocker to go

Bitlocker will be available for USB keys and other removable devices. The demonstration showed a once click encryption of a USB stick which is secured against a passphrase or smart card. Group policy preferences will be able to enforce the use of Bitlocker and Bitlocker to go in the domain. Bitlocker to go encypted devices will also be backwards compatible with Windows Vista and XP.

Applocker

A white list of applications can be created using digital signatures. They can be filtered by publisher, version number and other fields which are automatically extracted from an applications executable package.

Security questions for online authentication – lying is the best policy!

When you sign up for practically anything online these days that has a password, you’ll be asked to provide answers for additional security questions, whether it’s for an additional level of authentication (for online banking), or just as a way of allowing you to authenticate to change a password that you’ve forgotten.

The trouble with these is that it’s relatively easy these days to find the answers to the most common security questions for another individual. In a world of social networks and Google, you can probably find out someone’s mother’s maiden name, where they were born and what their first school was fairly easily; perhaps they have a blog where you can find out the name of their pets, or other information that’s sometimes used.

The news that someone had gained access to Sarah Palin’s Yahoo account last month reminded me of this earlier post by Microsoft UK’s Steve Lamb, who tried to change his mother’s maiden name with his bank to avoid this very issue.

For a while, I’ve been using a legend, with a fake mother’s maiden name, first school, pets, etc, which only I know. This is of course something else that I need to remember, but if you’re going to take security seriously, you’re going to have to make a bit of an effort with it. Of course if you were going to get really serious about this, you’d have to use a different legend for each authentication system – it’s up to you how far you want to go – but I’d definitely recommend using a few little white lies to keep your online accounts safe.

Configure Bitlocker on a TPM Enabled Machine

Introduction:

This guide is based on a detailed article from the Vista TechCenter tested and modified for use on CAMPUS.

BitLocker Drive Encryption is an integral new security feature in the Windows Vista operating system that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against “offline attacks,” attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.

This guide demonstrates how to configure a basic installation of Bitlocker with a TPM Enabled machine and assumes you are performing a clean build on a new machine using a network based WDS build.

Important thinks to remember before you begin

  • Bitlocker is particularly reccomended to users of Laptops within the University.
  • Backups are more important than ever on enrypted disks as recovery will be all but impossible if the disks hardware fails.
  • Changing a systems hardware will cause the TPM to react and have the system lock down. This can easily be fixed by using the Bitlocker recovery key but only if you sill have it!

Prerequisites

A Machine with a TPM chip
Windows Vista DVD
Windows Vista Business, Enterprise or Ultimate Editions
A USB Key, preferably one you can dedicate to use with Bitlocker.
Access to a Printer

1. Copy the contents of

\\campus\software\ucs\SystemSW\Bitlocker to your USB Key.

2. Boot the new machine from the Windows Vista DVD. It is necessary to do this as the WDS build on the Campus Network will not allow access to the command prompt.

3. Select the locale; accept the license and call-up a command prompt by selecting SHIFT + F10.

4. At this point you can either manually run the DISKPART tool or use the script you copied on to the USB Key in Step 1.

For BitLocker to work, you must have at least two partitions on your hard disk. The first partition is the system volume and labeled S in this document. This volume contains the boot information in an unencrypted space. The second partition is the operating system volume and labelled C in this document. This volume is encrypted and contains the operating system and user data.

The script you copied to your USB key will automatically:

Select the first disk in the system (Disk 0)
Clean the partition table.
Create a 1.5GB System Partition, sets it as active and assign it the letters S.
Partition the rest of the disk and assigns it the letter C
Quick Format both volumes with the NTFS file system.

IMPORTANT: Running this script will destroy all data on the system.

To run the script, change drive to your USB Key and run bitprep.bat

5. When the script has completed, restart your machine and build the machine using WDS as normal installing Windows on drive C

6. Now would be a good time to enable your TPM in the BIOS if it is not already.. There does not seem to be any convention on how the TPM is referred to but with HP machines it is so as the ‘Embedded Security Device’

7. When your machine has finished building, installing software and is fully patched you can start to configure Bitlocker. Click Start > Control Panel > Security > BitLocker Drive Encryption.

8. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. If your TPM is not initialised, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer.

9. On the Set BitLocker start-up preferences page, select the start-up option you want. You can choose only one of these options:

  • No additional security.
  • Require PIN at every start-up . You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.
  • Require Startup USB key at every start-up . You will see the Save your start-up Key page. Insert your USB flash drive, choose the drive location, and then click Save.

In this scenario Bitlocker supports the following security permutations.

TPM only
TPM + PIN
TPM + PIN + USB Key
TPM + USB Key

BL0

BL1

10. On the Save the recovery password page, you will see the following options:

  • Save the password on a USB drive. Saves the password to a USB flash drive.
  • Save the password in a folder. Saves the password to a network drive or other location.
  • Print the password. Prints the password.

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session. You should store recovery passwords apart from the computer for maximum security.

BL3

11. When you have finished backing up your recovery passwords you are ready to Encrypt the volume. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker verifies if the computer is BitLocker-compatible and ready for encryption.

12. If the system passed the checks you will see a ‘Encryption in Progress’ notifier in the system tray.

BL5

13. You can now have an enrypted disk!

BL5

14. If you would like to add more volumes and encrypt them then create the volumes as normal and then turn on Bitlocker for that drive.

BL8

Limiting software usage through GP delegation

To apply a group policy to just a few selected computers in an OU containing many other computers, you can use Group Policy delegation. There are a couple of ways of doing this: one involves Denying access to a group of computers and the other involves Allowing access to a group of computers. It really depends on your local OU structure and what you want to achieve as to which method you use.

DENY

First of all, create a security group of computers (call it something meaningful) and add the PCs that you *don’t* want to get the policy.

Run the Group Policy Management Console/Snapin, and browse to the group policy in question. Click/double-click it so that you see the tabs Scope, Settings, Detail and Delegation in the right-hand pane.

Click on the Delegation tab.

Click Advanced.

Click Add and enter the name of the group of computers. (If you just want to specify a single computer name, that’s okay, but you’ll need to click on Object types first and check the Computers box – groups are easier to maintain though).

Once you’ve added the computer/group of computers to the ACL, you’ll need to check the *DENY* on Apply Group Policy. In this example, I’ve denied rights to UCS Cluster Computers to apply the policy 3 Central 7-zip 4.42:

ALLOW

This is more or less the same procedure. Create a group of computers that you *do* want to get the policy. Click on Delegation… Advanced so that the Security box appears. Remove Authenticated users from the ACL, and add your group of computers. Ensure that Apply Group Policy is selected for this group. ISS use this method for securing the 5 Licensed software policies.

Now what?

Now when you apply the group policy to an OU, only the PCs that are in the allow/deny group will be allowed/denied access to the software.

If you’re using the old Group Policy management tool (the one that’s integrated into Users and Computers), you can make the same changes by just right-clicking the Group Policy, selecting Properties, and then the Security tab.

You can use this method to secure any Group Policy regardless of its purpose, the policy doesn’t necessarily need to be a software policy. For example you can limit application of a policy that adds users to a local machine admin group.

Something to note

To change delegation on a group policy, you must have rights to modify the policy security.