Pages

Wednesday, December 29, 2021

Generating a network trace capture and analyzing with Microsoft Network Monitor

An ex-colleague recently reached out to me for assistance on how he could perform a network trace and analyze it for a particular Citrix Virtual Apps and Desktop environment and the most common tool I usually recommend is Wireshark. The challenge he had was that the Wireshark installation would error out during the NCAP install so attempting to use that tool was not a viable option.

My ex-colleague’s challenge lead me to remember another method I had used in the past (probably more than 5 years ago) where we could use the native netsh trace command to capture an ETL file without requiring any software installation and after successfully testing the process, I thought I’d write a blog post to demonstrate it.

Creating a network trace capture file on the virtual desktop

1. On the VDI, launch the command prompt in administrator mode and start a trace with the following command:

netsh trace start capture=yes tracefile=c:\net.etl persistent=yes maxsize=4096

image

2. Replicate issue, note the time stamp, and stop trace with the following command:

netsh trace stop

image

Analyzing the network trace

  1. Download and install Microsoft Network Monitor: https://www.microsoft.com/en-in/download/details.aspx?id=4865
  1. Launch Microsoft Network Monitor and open the ETL file:
  1. Click Tools > Options:

image

Navigate to Parser Profiles tab, right click on Windows and click Set as Active:

image

Drill down to the NDISPacCap node:

image

For the purpose of this demonstration, we’ll be searching for an SMB path that contains the string college.

Click on Load Filter > Standard Filters > SMB > SmbFileName:

image

Update the string to look up and click Apply:

image

Hope this helps anyone who may be looking for a alternative method for capturing network traffic and analyzing it in an environment that may not have Wireshark available.

Releasing NVIDIA RTX Virtual Workstation License(s) on the License Server Manager

One of the frequent questions I’ve been asked in the past for VDI deployments that are accelerated with NVIDIA GPU GRID cards is how we can release assigned licenses to VDIs that no longer exist. Scenarios that can cause this is if a set of virtual desktops were deployed but then had to get redeployed the same evening because of a required change in configuration (I had to do this once when I needed to change the GPU memory allocation for the desktops).

image

image

Failure to have sufficient licenses for the VDIs will display the following message upon logging into the virtual desktop:

Failed to acquire NVIDIA license.

Failed to acquire NVIDIA RTX Virtual Workstation license. Click here for more information.

image

The short answer is that there isn’t a way to do this via the on-premise license server, command line or the NVIDIA Application Hub, and the recommended method is to either reduce the lease time for the license or completely remove all the licenses allocated to the desktops.

The steps to modify the lease time are as follows:

  1. Log onto the VDI master image
  2. Open the registry editor and browse to HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\GridLicensing
  3. Edit the LicenseInterval DWord (REG_DWORD) and configure the interval time that represents how long the license lease is valid for

The integer configured should be within the range 10-10080 that specifies the period of time in minutes for which a license can be borrowed after it is checked out. After this period has elapsed, the client must obtain a new license from the server.
The default is 1440 minutes, which corresponds to a period of 1 day. The value can be reduce to an hour so a new license would be reissued.

The environment I was working with already had the lease time configured to be a day (default) and further reducing it was not ideal in case we ever had a license server failure so I opted to use the 2nd method, which was to completely remove all the licenses allocated to the desktops so new ones would be issued. It is worth noting that I was told by the NVIDIA support engineer that this does not adversely affect the VDIs currently in use so it can be performed during regular hours.

The following are the steps:

1. Begin by logging into the NVIDIA Application Hub via the URL: https://nvid.nvidia.com/dashboard/

image

2. Select NVIDIA LICENSING PORTAL:

image

3. Navigate to LICENSE SERVERS, expand the License Server node and click on Download:

image

4. The license file representing the licenses will be downloaded:

imageimage

5. On the on-premise NVIDIA licensing server, stop FlexNet License Server - nvidia service:

image

6. Navigate to the path: C:\Windows\ServiceProfiles\NetworkService\flexnetls\:

image

7. Rename the nvidia folder to nvidia-old:

image

8. Start FlexNet License Server - nvidia service:

image

9. Open the license portal on the on-premise NVIDIA license server, navigate to License Management, ensure that the server is up, and the following error message is NOT present:

Connection error: Please make sure the FNE server is up and running

image

10. Confirm that the nvidia folder previously renamed has been recreated:

image

11. Confirm that there are no licensed clients listed:

image

12. With the server services up, proceed to upload the previously downloaded license file (.bin):

image

13. Confirm that the message Successfully applied license file to the license server. is displayed:

image

14. Navigating back to the Licensed Clients window should initially show an empty list and then new clients being listed:

image

Enable Security Authentication for NVIDIA License Server Manager

Those who have worked with the NVIDIA License Server Manager that is deployed to provide virtual desktops with GPU licenses will quickly notice that the default install does not provide any security for the management console as navigating to the URL: http://localhost:8080/licserver/ will bring you straight into the console without authentication. Given that I’ve been asked many times in the past about securing this portal, this post serves to demonstrate the process.

Enabling the requirement for logging in as shown in the screenshot below cannot be done via the GUI:

image

To enable the authentication requirement, we’ll need to use the nvidialsadmin.bat via the command line. The nvidialsadmin.bat can be found in the directory C:\NVIDIA\LicenseServer\enterprise on the licensing server:

image

Enable Security for the NVIDIA License Server Manager

1. Begin by launching a command prompt as an administrator and navigating to the directory: C:\NVIDIA\LicenseServer\enterprise

2. Execute the following command to set the security flag as true:

nvidialsadmin.bat -server http://127.0.0.1:7070 -config -set security.enabled=true

image

3. Next, execute the following command with the default password for the admin account (Admin@123) and set the new password (Update the New-Password1 value to the password desired):

nvidialsadmin.bat -server http://127.0.0.1:7070 -authorize admin Admin@123 -users -edit admin New-Password1

image

4. Proceed to restart the Apache Tomcat 9.0 Tomcat9 service in the services console on the license server:

image

5. Wait for the license server to be fully started then try to navigate to the console at http://localhost:8080/licserver/ to verify that credentials are required:

image

Disable Security for the NVIDIA License Server Manager

1. To disable the security login requirement execute the following command with the configured password to authorize the session:

nvidialsadmin -server http://127.0.0.1:7070 -authorize admin New-Password1

image

2. Then set the security flag to false:

nvidialsadmin.bat -server http://127.0.0.1:7070 -authorize admin New-Password -config -set security.enabled=false

image

3. Proceed to restart the Apache Tomcat 9.0 Tomcat9 service in the services console on the license server:

image

4. Wait for the license server to be fully started then try to navigate to the console at http://localhost:8080/licserver/ to verify that credentials are no longer required.

Wednesday, December 1, 2021

Configuring Security Headers to secure Microsoft Active Directory Federation Services / AD FS for scoring an A on SecurityHeaders.com

I’ve recently been asked by a colleague who wanted to know how they can score an A+ on www.securityheaders.com with a Windows Server 2019 AD FS WAP server that is exposed to the internet. It has been a while since I’ve configured one so I had to dig up my old notes and thought it would be great to write this quick post with the headers that achieves an A score. The reason why an A+ is not possible because it would require the Content-Security-Policy header to exclude the values:

  1. 'unsafe-inline'
  2. 'unsafe-eval'

… and excluding these would throw the following error:

JavaScript required

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

image

The following are the configuration for headers that I’ve used in the past to score an A (these are executed on the internal AD FS server and not on the WAP):

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' "

Set-AdfsResponseHeaders -SetHeaderName "Strict-Transport-Security" -SetHeaderValue " max-age=157680000; includeSubDomains"

Set-AdfsResponseHeaders -SetHeaderName "X-XSS-Protection" -SetHeaderValue "1;mode=block"

Set-AdfsResponseHeaders -SetHeaderName "X-Content-Type-Options" -SetHeaderValue "nosniff"

Set-AdfsResponseHeaders -SetHeaderName "Referrer-Policy" -SetHeaderValue "no-referrer"

Set-AdfsResponseHeaders -SetHeaderName "Permissions-Policy" -SetHeaderValue "geolocation=(),microphone=(),fullscreen=(self), vibrate=(self)"

Note that X-Frame-Options is already set to DENY by the AD FS server so there is no need to configure it. Use the following cmdlet to review the settings:

Get-AdfsResponseHeaders | Select-Object -ExpandProperty ResponseHeaders

image

Hope this helps anyone who may be looking for these headers.