Wednesday, January 7, 2015

transitioning to ipv6

dual stack routers

dual ip layer architecture

  • windows OS support both ip4/6 

tunnleinig (6to4, 4 to6)

intra-site automatic tunnel addressing protocal (ISATAP)

  • private networks
  • ipv4 embedded in ipv6
  • eg fe80::5efe:192:168.1.5
  • host client must resolve name "isatap"
    • create dns entry "isatap" for the istap router
    • host upon boot up tries to resolve name "isatap"
    • isatap router will send configuration info and host will self rconfigure itself with that info
  • isatap router sends router adv  with autoconfig prefix


  • tunnels ipv6 across ipv4 internet
  • nat is common for edge devices
  • multi-layers nat can become a problem
  • encapsulates ipv6 to ipv4 udp (nat friendly)

teredo components

  • tereso server: configure client address, set up communication
  • (requires 2 public ipv4 addresses)
  • teredo replay: forward between ipv4 only and ipv6 only
  • teredo host-specfic replay



DNS global query block list 

WIndows DNS need to allow "isatap" query.  to prevent non-satap server named "isatap"

change "wpad isatap" to "wpad"

Next, configure interface as isatap router interface.  hosts will self assign ipv6 address based on that network address advertised.

IPv6 network host self assigned an IPv6 address

IPv4 host uses isatap to communicate with IPv6 network host

ipv6 types and addresses


  • similar to APIPA (169.254.x.x)
  • start with FE80
  • randomly generated
  • used to communicate on local network

  • mac address not used by Microsoft
  • conflict detection

always get link-local even with DHCP

unique-local (site local)

  • similar to private IP but not necessary
  • FD00::/8 FC00/7  (1111 1101 or 1111 1100 network id mask)

loopback ::1 (ping ::1)

default gateway ::/0 (ping ::)

Global scope

  • public IP address
  • internet v2 (aka 6bone)
  • 0010 (2xxxx::/3) 
    • 2001, 2002
  • global routing prefix: 48 bits or less
    • assigned to large orgs and split up by them
  • subnet ID: remaining bits in 1st 64 bits after global routing prefix
  • interface id: last 64 bits


% indicates interface index number to distinguish multiple interfaces

global scope Ip


128 bit address

8 groups of 4 hex characters

characters : 0-9, A-F

340,282,366,920,928,463,463,374,607, 431,700,000,000

2 rules

  • eliminate leading zeros
  • eliminate consecutive zeros

Tuesday, January 6, 2015

dns zones

storage unit of domain names and ip

mostly forward but also reverse

stored in file or ad

  • file c:\windows\system32\domain.dns
  • primary and one or more secondary
  • only primary is r/w
  • secondary updated by primary or other secondary


  • stored in ad
  • replcated with other ad data incrementally
  • secure dynamic updates

DNS name resolution process

dns client has a local cache that can be pre-loaded from hosts file

dns client requests a recursive query to the dns server

dns server does a iterative query to each known domain specific servers that may redirect it to another dns server with answer

dns server that hosts the record is the authorative dns server.  non-authorative dns servers stores cached information that expires.

creating new zone

setting depend on level of traffic generated.  allows recognition of only dns data instead of all data to be replicated.

non-secure option used for no-AD aware DNS

connection profiles

public = public

  • all networks considered public

private = home

  • admin has to select 
  • behind firewall

domain = work

  • automatic when auth by DC

Firewall interfaces

control panel
  • general settings (lack granularity)
    • domain - work network
    • public - public network
    • private - home network

wfas (windows firewall with advance security)
  • granular rules
  • export/import rules (UI or netsh)
    • wfw file



  • wfas UI
  • large scope

configuring using Wfas

requires secure connection 

firewall via GPO (overrides firewall settings on individual server)

local and gpo rules merging

connection security rules - Uses IPsec methods.  establish security requirements for connections

Monday, January 5, 2015

Locking down software

software restriction policy

  • designed for legacy windows, (xp, earlier win2k8)
  • fairly east to bypass
  • all apps allowed by default
    • make specific restrictions


  • designed for win7/8, w2k8r2, win12 and greater
  • less easy to bypass
  • all apps denied by default
    • create default rules to run basic apps to preventing locking out of system

Check inidcates active status.

New path rule - can be bypassed by moving files to different path

Hash rule - application calculated hash. but hash changes for version changes.

Applocker (use with win 2008 R2/Win 7)

in a same policy, when both software restriction policy and applocker policy is used, software restrcition policy will be ignored.  use seperate polcies for each of them. for backward compatibility still need to use software restrictions.

first thing before enableing it is Create an "allow" rule to override the "deny all" default rule. Allows all windows and program files to run.

Although, enabled, applocker is not effect until rules and Application Identity Services on the workstation

Automatically create rules - scan for and allow to run installed apps. rules automatically generated. useful for programs outside of windows and program files folder.

Deny rule

deny running notepad,.exe but allow other apps to run

Enable the Application Identity Services

enable it in the same policy

or second option is to enable in the control panel services setting

finally, applocker policy takes time to take effect in contrast to other policy settings.