So the caveat to this article is that this is specifically for Windows Servers. If you’re trying to enable multiple RDP sessions on Windows 10 or 11, you’ll need to do some further googling to find out how to do that – as this alone won’t be enough.
Enable Multiple RDP Sessions
Log into the server you are trying to enable multiple Remote Desktop sessions on.
Click on the start menu button, type “gpedit.msc” and open it.
I ran into this last week when I was helping someone “fix” their server. They couldn’t reach, or ping, their host, and when running an “ipconfig /all” command it was returning that the machine’s IP was ‘duplicate’.
Worth Noting: So sometimes when a server reports that its’ IP is a ‘duplicate’ it can be a DHCP mishap. It can happen when a server is assigned a static IP that is within a DHCP pool, and because there was no reservation, DHCP hands the IP out to some other machine. Thus two machines are trying to use the same, duplicate, IP address. When that happens you’ll need to resolve it by creating an IP reservation for the “correct” machine, and then releasing the IP from the machine that “incorrectly” took the IP from the pool so it can be assigned a new IP.
The machine I was fixing lived in a subnet that did not use DHCP and only had machines that were statically assigned their IPs in it. So the possible resolution mentioned above did not fit my scenario. So, what could it be? Well if you have a static IP set, and the DHCP service is enabled, Windows likes to give you an address on the 169.x.x.x network. Which just breaks the ip traffic on your server. Here’s how to fix it…
Open a command prompt
Step 2. Enter
Find what your system’s preferred IP is and if autoconfiguration is enabled, and the name of the interface that they are on. You will need this for the next step.
Step 3. Enter
netsh interface ipv4 show interface
Find the index number that is assigned to the interface you identified in the step above, you will need it in the next step.
Run the command below, but replace ’69’ with the index number that you identified in the step above.
netsh interface ipv4 set interface 69 dadtransmits=0 store=persistent
Step 5. Enter
Disable the DHCP Client service. If you ever revert from a static IP back to a DHCP IP, you will need to re-enable this service and set it back to automatic.
Restart your computer. After your system reboots, its static IP should now be the correct IP you had configured on it, and your IP traffic to/from it should be back to normal.
Congratulations, autoconfiguration has been disabled.
If you’re ever tracking down where a suspicious came from, it can be hard to determine if it was downloaded off of the “dirty” internet, or if someone actually created the file locally on the machine. Well if you know how to check the file’s alternative data stream, it actually becomes pretty easy to determine if it was in fact downloaded. You don’t know what the alternate data stream is, or how to check? We can fix that.
First a little background. The “Zone Identifier Alternate Data Stream” is often referred to as the Mark-of-the-Web (MOTW). The MOTW was actually a security feature first introduced by Internet Explorer for determing how to run saved HTML webpages. It has since grown to become implemented into many other file types. Whenever a file is downloaded, your browser implements MOTW by utilizing a feature of the NTFS file system called the alternate data stream (ADS) to associate a data stream to that file. The browser creates an ADS called “Zone.Identifier” and then adds the ZoneId to the stream to specify where the file came from. The ADS will be <file>:Zone.Identifier.
The ZoneId can have the following values:
0. Local Computer
1. Local Intranet
2. Trusted Sites
4. Restricted Sites
Enough of the background… Let us get back to the hands-on part.
To check the files’ ADS & ZoneId from a command prompt, use the following syntax.
Alternatively, to check the file with PowerShell, use either of the following cmdlets.
I’ve used Pi-Hole for longer than I can remember, so it’s time to test drive another solution, AdGuard Home, to see how it compares on my network.
To start, as the title suggests you’ll need a RaspberryPi. While not required, I recommend starting with a new fresh image of the RaspbianOS on it. The next thing you’ll want to do, which I won’t cover in this article, is set up your RaspberryPi with a static IP address and then enable SSH on it so that you can connect to it.
Install AdGuard Home
Before you get started make sure to update your RaspberryPi using these two commands. After that you will be ready to get started.
sudo apt-get -y update
sudo apt-get -y upgrade
The easiest way to begin the installation of AdGuard Home and get it ready to go is to copy and paste the command below and then run it. It will take care of everything; downloading the proper version for your RaspberryPi, installing it, starting it as a service on boot.
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
After a few minutes, the installation completes and you are ready to proceed. Towards the bottom of the output from the install, there are a few lines that tell us what IP the RPi is listening on, on port 3000. Open your browser and go to the third entry which should be the same as the static IP address you applied to your RaspberryPi before we got started. Referencing the example in my image above, I would be going to: http://192.168.1.2:3000. You should be greeted by a five-step getting started wizard.
Using my RaspberryPi 3, I prefer to only use my wired ethernet connection. I usually go into the OS and disable the WiFi. So on this page, I will select my ‘eth0’ interface as the one that I want to listen to for DNS calls on.
Create your username and a password.
Time to set up your devices to point their DNS to your “new” AdGuard Home. At this point, this is when you should be repointing the DNS in your router to now be pointing at your RaspberryPi’s IP address. This will make all of the devices on your network that is pulling a DHCP address from your router start to use AdGuard Home.
Note: This is also when I like to go back into my RaspberryPi’s NIC to statically repoint it’s DNS setting to its own IP address since it is now able to resolve DNS.
The last step is to open the dashboard and login.
The dashboard is what you see as soon as you log into your AdGuard Home. It is where you get to see at a single glance the summary of all of the statistics it has collected. From the number of allowed and blocked DNS queries, to what the top queried and blocked domains are, you can even see which clients are being the “chattiest” and making the most DNS requests. Being the summary page, you can use it as the launchpad to click around and dive deeper into what the devices on your network are doing and who they are talking to.
The only other thing really worth mentioning on the dashboard is the “Disable Protection” button that is near the top of the page next to the ‘Dashboard’ title. If you ever need to troubleshoot an issue with one of the devices on your network, this is how you can easily disable all of the DNS blocking/filters that AdGuard Home is doing so that you can [hopefully] rule it out as the culprit.
Under ‘General Settings’ I like to enable the longest log and statistic retention. Being that this is for a home network, I’m not too concerned about anonymizing the client IP info.
Under the ‘DNS Settings’ I like to set my upstream DNS servers. I personally use Cisco’s OpenDNS. Here is a link to known DNS providers that you could choose from if you don’t want to use Cisco. I also have it run the requests in parallel for faster results. However, I tend to leave almost everything else set to its default values.
Examples you can set as your Upstream DNS Servers:
One of the final ‘DNS Settings’ I like to apply is at the very bottom of the page. I want to limit the use of my DNS to only machines that are on my home network. To do this, under “Allowed clients” I’m adding the CIDR notation for my home network.
I’m adding “192.168.0.0/16” so that it will apply to every address from 192.168.0.0 thru 192.168.255.255. However, while not wrong, this is probably going to be overkill for most home networks that only use a single subnet.
So depending on your home network’s IP address space, you could probably choose to just use a /24 – so it would look more like 192.168.0.0/24. In this example, it would allow all the addresses from 192.168.0.0 thru 192.168.0.255. Again, match up that address space (ie the third octet) to what is in use on your network if you use the /24. If your home network uses a different
Filters are an easy way to quickly block or allow, many different popular sites and services. For example, if you had a hatred for social media, by flipping a toggle in this menu, you could completely cut off and block all services from Facebook on your network.
Note this is not blocking applications, aka Layer 7, it is simply blocking a list of know domains that are owned and/or used by the specific service or website.
The ‘Filters’ is also where you can add/remove DNS blocklists. AdGuard Home comes with quite a few pre-defined lists that you can choose to enable if desired. To get there, click on ‘Filters’, then ‘DNS blocklists’, then click on the ‘Add blocklist’ at the bottom of the page.
Next, you will click ‘Choose from the list’ to start adding the pre-defined blocklists. Alternatively, if you had a custom list you wanted to add, you could do so right here using the ‘Add a custom list’ button.
Here is where the magic happens. This is where you can select any or all of the pre-defined block lists. When you are done, click the save button.
This page is a comprehensive log of everything that AdGuard is doing. You can see what client on your network is making what DNS query. You can filter to see what DNS queries are getting processed or blocked. It is also here that you can see what external resolver answered a particular DNS query. It’s not as snazzy or flashy as the graphs and top charts on the dashboard, but if you are trying to look for the dirty details of whats going on, then your answer is definitely going to be here in this query log.
AdGuard Home service – Start/Stop/Restart/Status
To control the AdGuard Home service and manage it from the command line of your RaspberryPi you can use the following commands.
sudo /opt/AdGuardHome/AdGuardHome -s status
sudo /opt/AdGuardHome/AdGuardHome -s start
sudo /opt/AdGuardHome/AdGuardHome -s stop
sudo /opt/AdGuardHome/AdGuardHome -s restart
Likewise, if you need to you could also uninstall or re-install the AGH service.
sudo /opt/AdGuardHome/AdGuardHome -s uninstall
sudo /opt/AdGuardHome/AdGuardHome -s install
Test if AdGuard Home is working
So your devices should be pointing to AdGuard Home. To test if the ad-blocking is working you have a couple of options.
On your Windows machine open a command prompt, then type this command.
If AdGuard Home is working, it should return “0.0.0.0” as the answer. Meaning that it can not lookup the IP address of the domain “doubleclick.net”.
The other way that you can test your new ad-blocking abilities is by going to a URL and checking how well it blocks ads. A quick google search returned this site as one option to test ad-blocking: https://adblock-tester.com/ I’m sure you can find others…
What is AdGuard Home missing
No Layer 7 Application filtering capabilities
AdGuard does not have any packet inspection capability. Because it can not inspect packets it can not actually block or filter based on content or applications. AdGuard relies completely on DNS and the reputation of the actual domain/URL that is being called. Instead of blocking the content itself, it blocks the IP address lookup for the domain being requested. If you need to block/filter content you will need to look into some sort of Next-Gen Firewall as a solution.
Blocking all Ads
AdGuard and Pi-Hole both suffer from the inability to block ALL ads. This is because sometimes the advertisements, and the content you are actually wanting, come from the same domain. Because they are coming from the same place we are unable to block the actual domain name.
Some examples of a few sites that serve ads and content from the same domain name include:
So if you know anything about managing Windows systems then you know about GPOs. In my honest opinion, GPOs are one of the greatest tools available in Windows. GPOs let you administratively manage all aspects of your computers. You can literally set about 99.9999% of any settings you ever wanted to configure on a computer.
One of the things that make GPOs so great is that it is expandable in that you can add new administrative templates as you add new software to your workstations in your domain. So not only can you manage just about any Microsoft or Windows setting, but you can also add in templates for third-party software from most of the big software venders and enterprise applications, as well as add new templates when new Microsoft releases new OSes and software.
The biggest downside of GPOs is that they can feel like a daunting wall when you first get started implementing them simply because there are sooo many settings that you can potentially configure – where to begin!?! And how do you figure out where to set some of those really odd settings. Well don’t worry, I don’t know anyone that remembers exactly where each setting is. For me, there are two resources that I regularly use to help me find the settings that I want to configure.
This is an official Microsoft tool that lets you search all of the various settings that are available to you in all Microsoft products. It’s a great resource to find where things are set just by using a keyword. Think of it as “Bing” (or “Google”) for GPOs. Out of these two links, this site is the easiest to navigate when looking specifically for Microsoft and Windows settings.
This site includes all of the Microsoft settings, but where it really shines is all of the third-party software settings it has indexed for you. If need to figure out where to set something in Chrome or Adobe or any other software, this site has you covered.
So this last site is just a bonus as it is not exactly a GPO site, but it comes in handy. It’s a way to convert registry settings into powershell commands that you can run. Paste your reg key into it and it will spit out the corresponding PS command for it.
I recently updated my home install of NextCloud right before I went to bed, and when I checked it the next day it was stuck in maintenance mode. Ugh… Thankfully it is easy enough to fix, but you will have to log onto the server to run an occ command from the command line.
The first thing you should try is completing the upgrade with this command.
If you ever forget your admin password, hopefully, you have someone else who is an administrator that can reset it for you. If that is not an option, then the worst-case scenario is that you can log into the server that is hosting your NextCloud and reset the password via the command line with the occ command.
sudo -u www-data php /var/www/nextcloud/occ user:resetpassword admin
Enter a new password:
Confirm the new password:
Successfully reset password for admin
The "www-data" user is going to be the user you have setup as your web service that run NextCloud. If you followed my post about setting up NextCloud, or if you are running on RHEL/CentOS/Fedora, that that user is going to be "apache".
If your Nextcloud username is not "admin", then substitute the username that you setup as your Nextcloud admin.
The Azure Serial console can be disabled and re-enabled for an entire subscription by using the following commands in the Azure CLI. To get the current status of the serial console in your subscripton use the following command:
$subscriptionId=$(az account show --output=json | jq -r .id)
az resource show --ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --output=json --api-version="2018-05-01" | jq .properties
To enable the serial console for a subscription, use the following commands:
$subscriptionId=$(az account show --output=json | jq -r .id)
az resource invoke-action --action enableConsole --ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --api-version="2018-05-01"
To disabled the serial console for a subscription, use the following commands:
$subscriptionId=$(az account show --output=json | jq -r .id)
az resource invoke-action --action disableConsole --ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --api-version="2018-05-01"
Here is how to add the open source antivirus tool ClamAV to the CentOS machine and configure it automatically run a virus scan on newly uploaded files. ClamAV detects all forms of malware including Trojan horses, viruses, and worms, and it operates on all major file types including Windows, Linux, and Mac files, compressed files, executables, image files, Flash, PDF, and many others. ClamAV’s Freshclam daemon automatically updates its malware signature database at scheduled intervals.