Day: June 15, 2015
The Permission Panic: How to Backup and Restore Share & NTFS Permissions | Lazy Admin Blog
It only takes one “Inheritance” checkbox error to bring a department to a standstill. If you are migrating a file server or just performing routine maintenance, having a permission backup is your “Undo” button.
1. Share Permissions (The Registry Method)
“Share” permissions (the ones you see in the Sharing tab) are not stored on the files themselves; they are stored in the Windows Registry.
To Backup: Open a Command Prompt (Admin) and run:
DOS
reg export HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares shareperms.regTo Restore: Simply import the file back on the new or repaired server:
DOS
reg import shareperms.regNote: You must restart the ‘Server’ service or reboot for the shares to reappear.
2. NTFS Permissions (The icacls Method)
NTFS permissions (the “Security” tab) are much more complex. We use the built-in icacls tool to handle these.
The Backup Command:
DOS
icacls d:\data /save ntfsperms.txt /t /c- /t: Recurses through all subfolders.
- /c: Continues even if it hits a single file error (like a long file path).
The “Tricky” Restore Command: When restoring, icacls treats the paths inside the text file as relative. If your backup file says “Data\Folder1,” and you try to restore to D:\Data, it will look for D:\Data\Data\Folder1.
The Correct Syntax:
DOS
icacls d:\ /restore ntfsperms.txtLazy Admin Warning: Always point the restore command one level above the folder you backed up. If you backed up
D:\Data, restore toD:\.
Understanding the “Secret Code” (SDDL)
If you open your ntfsperms.txt file, you’ll see strings like D:AI(A;ID;FA;;;BA). This is Security Descriptor Definition Language (SDDL).
- BA = Built-in Administrators
- SY = Local System
- AU = Authenticated Users
It looks like gibberish, but to the Windows Kernel, it is a perfect map of your security infrastructure.
#WindowsServer #SysAdmin #DisasterRecovery #NTFS #FileServer #TechTips #CyberSecurity #ITAdmin #LazyAdmin
RDP Rescue: How to Fix Remote Desktop Issues Without a Reboot | Lazy Admin Blog
If you can reach a server via ping or the VM console but RDP is failing, you can often “kick-start” the service by toggling specific registry keys. This forces the Terminal Services stack to re-read its configuration without dropping the entire OS.
1. The Firewall Check
Before diving into the registry, ensure the Windows Firewall isn’t blocking Port 3389. If you have console access, try disabling it temporarily to rule it out.
- Quick Command:
netsh advfirewall set allprofiles state off
2. The “Deny” Toggle (The Most Common Fix)
Sometimes the registry says RDP is allowed, but the service isn’t honoring it. Toggling the value can reset the listener.
Path: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
- fDenyTSConnection: Should be 0. (If it’s already 0, change it to 1, refresh, then back to 0).
- fAllowToGetHelp: Should be 0 to ensure Remote Assistance isn’t conflicting.
3. WinStation Listeners (RDP & Citrix)
If the main switch is on but the specific “listener” is disabled, you’ll get a “Connection Refused” error.
For Standard RDP: Path: HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp
- fEnableWinStation: Must be 1. Toggle this (1 -> 0 -> 1) to reset the listener.
For Citrix Servers (ICA): Path: HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\ICA-Tcp
- fEnableWinStation: Must be 1.
4. Port Verification
Ensure the server is actually listening on the standard port. If someone changed the RDP port for “security,” your connection will fail.
Path: HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp
- PortNumber: Should be 3389 (Decimal).
Test it from your workstation: tnc <ServerIP> -port 3389 (PowerShell) or telnet <ServerIP> 3389
5. The Winlogon Block
In rare cases, the entire Winlogon station for terminal services is disabled at the software level.
Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- WinStationsDisabled: Must be 0. If set to 1, no one can log in via RDP regardless of other settings.
Lazy Admin Tip 💡
If you can’t get to the console, you can change these registry keys remotely from your workstation! Open Regedit, go to File > Connect Network Registry, and enter the target server’s name. You can perform all the toggles mentioned above without ever leaving your desk.
#WindowsServer #RDP #SysAdmin #Troubleshooting #ITOps #TechTips #Networking #RemoteDesktop #LazyAdmin #ServerManagement
The Ultimate IT Compliance & Terminology Encyclopedia (2026 Edition) | Lazy Admin Blog
In the enterprise world, “Standard” is a myth. Every system you touch falls into a bucket that defines how you patch it, who can access it, and how long you keep the logs. If you misclassify a system, you’re not just breaking a rule—you’re inviting an auditor to move into your office for a month.
1. The “Big Three” of Regulatory Compliance
Sarbanes-Oxley (SOx)
- Industry: Finance / Publicly Traded Companies (US).
- The Focus: Preventing financial fraud.
- IT Impact: Controls over who can modify financial data. If a system supports a key business financial process (ERP, Payroll, Billing), it is In-Scope for SOx.
- The Issue: A failure to rotate admin passwords or an unlogged manual change to a database.
GxP (Good Practice)
- Industry: Life Sciences / Pharmaceuticals / Medical Devices.
- The Focus: Product safety and human life. (GMP = Manufacturing, GLP = Lab, GCP = Clinical).
- IT Impact: Systems must be Validated (proven to do exactly what they say). Any uncontrolled change can “De-validate” the environment.
- The Issue: Loss of clinical data or unscheduled downtime during a manufacturing run.
GDPR / CCPA / LGPD
- Industry: Global / Consumer Data.
- The Focus: Individual Privacy.
- IT Impact: The “Right to be Forgotten.” You must be able to delete a specific user’s data from all production systems and backups upon request.
- The Issue: A data leak of personal information or failing to delete data within the legal timeframe.
2. Industry-Specific Verticals
| Compliance | Industry | Key Requirement |
| HIPAA | Healthcare (US) | Protection of ePHI (Electronic Protected Health Information). Encryption is non-negotiable. |
| PCI-DSS | Retail / Finance | Security of the CDE (Cardholder Data Environment). Strict network isolation for credit card traffic. |
| FERPA | Education (US) | Protection of student records and privacy. |
| FISMA | Government (US) | Security standards for federal agencies and contractors. |
3. Internal Quality vs. Security Issues
Quality Issue (Non-Conformance)
A failure to follow internal Standard Operating Procedures (SOPs).
- Example: You applied a patch during a blackout period without CAB approval. The server didn’t break, and it’s not a legal breach, but it is a Quality Issue because you ignored the process.
Security Issue (Breach)
An uncontrolled event that compromises the Confidentiality, Integrity, or Availability of data.
- Example: Social engineering (phishing), unauthorized root access, malicious code (Trojans/Worms), or theft of hardware.
4. Technical Audit Terminology
- ALCOA+: The gold standard for data integrity. Data must be Attributable, Legible, Contemporaneous, Original, and Accurate.
- Segregation of Duties (SoD): The person who requests a change cannot be the same person who approves it or implements it.
- SOC 2 (Type I & II): An audit report demonstrating that a service provider manages data securely (Common for SaaS).
- SLA (Service Level Agreement): The promised uptime. Exceeding downtime isn’t just a technical fail; it’s a Quality Issue.
- Tombstone Lifetime: In AD, the number of days a deleted object is kept before being physically removed from the database (usually 60–180 days).
Lazy Admin Tip 💡
Always keep a “Compliance Map” of your server rack. Knowing which VLAN is PCI-In-Scope versus which one is just Dev/Test will save you from accidentally triggering a massive audit trail for a routine reboot.
#ITCompliance #GDPR #CyberSecurity #SysAdmin #ITAudit #EnterpriseIT #LazyAdmin #CareerDevelopment