Windows 10 can’t oprn using the built-in administrator account

 Microsoft can’t be opened using the Built-in Administrator account.  Sign in with a different account and try again.

Microsoft now added additional security is in place much like the Internet Explorer Enhanced Security that we have grown to love and hate.

In order to get around this message and be able to use your Built-in Administrator account to run administrative tasks, follow the following steps to get up and running.

• Navigate to your local security policy on your Windows 10 workstation – You can do this by typing secpol.msc at a search/run/command prompt.
• Under Local Policies/Security Options navigate to “User Account Control Admin Approval Mode for the Built-in Administrator account“
• Set the policy to Enabled

DHCP Pool and static reservations

To create DHCP reservations, you should first create the scope and then create the reservations separately with unique names. The L3 device will know that the reserved device is a part of the scope (global DHCP pool) and make them a subset of it because their host IP addresses are within the scope CIDR block.

For example, you want to create a printer scope on 10.xxx.5.0/24 with you company settings and you have 3 printers that you want to have permanent DHCP reservations. You decide that they will be 10.xxx.5.21, 22, and 23. You obtain the MAC addresses from the printers as 0000.1111.2222, 5555.4444.3333, and 6666.5555.4444 respectively. You would create a dhcp pool for printers with you network, domain-name, dns-server, and default-router (and more features if you need them). Then you would create a reservation for each printer by giving it a unique pool name, the host IP address, and the MAC address with an "01" for Ethernet in front of it. Note that the reservation name does not have to relate to the global ip dhcp pool at all.

The configuration would look like this:

conf t

!

ip dhcp pool Printers

network 10.xxx.5.0 255.255.255.0

domain-name yourcompany.global.pvt

dns-server 10.xxx.10.100

default-router 10.xxx.5.1

ip dhcp pool Print-21

host 10.xxx.5.21 255.255.255.0

client-id 010000.1111.2222

!

ip dhcp pool Print-22

host 10.xxx.5.22 255.255.255.0

client-id 015555.4444.3333

!

ip dhcp pool Print-23

host 10.xxx.5.23 255.255.255.0

client-id 016666.5555.4444

!

end

wr mem

This will work on most all Cisco L3 devices. Note that some printers may need to use BootP instead of DHCP and therefore the client-id statement would be different. That is easily found on Cisco configuration guides.

For example:

 MAC address of PC is2047.47D0.C89A
   
Sample Config:

ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.1.1.2

ip dhcp pool VLAN1
 network 10.1.1.0 255.255.255.0
 domain-name test.local
 default-router 10.1.1.1

   
   ****YES WORKS***
   ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 client-id 0120.4747.d0c8.9a

 ****NO******
   ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 client-id 2047.47d0.c89a

 ****N0******
   ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 hardware-addr 0120.4747.d0c8.9a


 *****NO*******
    ip dhcp pool RESERVE_POOL
 host 10.1.1.10 255.255.255.0
 hardware-addr 2047.47d0.c89a

Note when excluding a static address 10.1.1.10:
Switch(config)#ip dhcp excluded-address 10.1.1.10

% Address 10.1.1.10 is already excluded.

AAA

AAA used for RBAC and centralized management.

A uthentication
A uthorization
A ccounting

TACACS+ mainly used for amangement and administration
RADIUS for end users

Example Configuration:

Enable AAA new model
set up methods lists for AAA
Apply the method lists for AAA


Set the default method list by using the keyword 'default'

aaa authentication login default group tacacs+ local enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+


'if-authenticated' means in the case where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.

NAT and PAT

NAT and PAT used as a security mechanism to hide host behind another device.

Options are:

NAT one to one dynamic - source internal IP address translated to pool of publicly routeable IP address

PAT one to one dynamic - source internal IP address translated to a single source publicly routable IP but different tcp/udp ports.

NAT one to one static - source internal IP address translated to a static single source publicly routable IP

PAT port forwarding static - static single source publicly routable translated to a internal resource using different ports.

Example of one to one dynamic NAT.  Access rule created to match IP addresses 10.1.0;0 to translate.
G1/0 as outside interface/  G2/0 as inside interface.

Use a IP pool 10.123.0.33 with prefix length of 27.

Example of one to one dynamic PAT.  Translate multiple internal client to single publicly routable IP address.

Example of static one to one NAT.  The internal IP address 10.1.0.25 is statically mapped to global IP address 10.123.0.25.

Example of port forwarding static PAT.   Static IP 10.1.0.50  translate to 10.123.0.25 to the port 80.


Command used is

IP NAT INSIDE SOURCE 10.1.0.50 80 10.123.0.25 80 EXTENSIBLE

Netflow

Netflow allows discovery of traffic on the network and see trends and history of network performance.

Compenets of Netflow:
Monitor _ identify what to collect.  Applied to an interface.
Exporter - caches network flow then ships it to a network management system for analysis
Collector - Network management software running a collector

Optional sampler - percentage of flow is collected and not everything to reduce overhead of monitoring process.


Exporter configuration requires:
 Name
destination IP
UDP port
version of netflow
source IP (defaults to closest IP of interface connected to NMS)

Monitor configuration requires:
Name
Type of information to collect (IPv4, IPv6)
Which Exporter to use


Apply the monitor to the interface inbound or outbound flow

Example of exporter named EXPORT-1 sending network traffic information to collector at IP 192.168.1.23. Using  UDP port 9996.  Netflow version 9, and source is interface g1/0 IP address.
Then, monitor named MONITOR-1 applied to g1/0 on R1

To reduce of overhead caused by netflow use a sampler

Example of configuring a sampler named OUR-SAMPLER applied to a monitor 1 out 10 packets deterministically

Unicast Reverse Path Forwarding

uRPF allows dynamic spoof prevention based on the routing table

uRPF modes:
Strict - if packet enters through an interface then it should exit thought the same interface.
except when there are equal paths.
Loose - allow traffic enter and exit on different interfaces as in a asymmetric routing (undesirable)
As long as a valid destination route in routing table it is allowed



uRPF options:

Allow self ping
Allow default route
ACL to allow failed checks.
(ip deny any any log to use to test if uRPF check is working)



Example of uRPF

A loopback with internal IP address on an edge R1 router is pinged from an external provider router.
uRPF will fail the ping due to unavailable return path in the route table.

Show IP Interface command shows the packet drop count.

securing using Control Plane

Traffic destined to the router is processed by the control plane host a subsection of the router.

Control plane use

class maps to classsify traffic
policy map to police the traffic to a specific rate
service policies to apply it to the control plane's logical interface (sub category)  host



Example, LIMIT-ACL to permit snmp and ssh traffic.

class map LIMIT-Class to classify the traffic defined by the ACL.  Policy map to slow the traffic to 64000 bps when traffic is matched.  All other traffic that is matched is policed to 512000 bps.
Apply the control plane host.