Knowledge

Fine-tuning Windows servers doesn't have to be a complex process. Easily manageable commands and settings can have a great effect. In this article, I look at 11 practical tips for Windows servers.

1. Remote Desktop Settings

In many organizations, employees use the Remote Desktop tool, usually activated in the server's graphical user interface or from the Server Core text-based menu. On servers with a graphical user interface, the quickest way to find the settings is to call sysdm.cpl. However, you can also enable the remote desktop from the registry with the settings found in the HKLM | SYSTEM | CurrentControlSet | Control | Terminal Server key. With this approach, you can activate Remote Desktop by importing registry entries. The most important entry is fDenyTSConnection . A value of 0 activates Remote Desktop, and a value of 1 disables it. To see which users are connected to a server (Figure 1), run the command:

qwinsta /server:<server name>

Figure 1: Remote Desktop Protocol connections are displayed by the qwinsta command.

To deny access to certain users, use group policies. To block access to the Remote Desktop Services (e.g., for local administrators), you should manage the authorizations centrally. The path to the settings is Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment . The following two settings are important:

• Deny log on through Remote Desktop Services
• Deny log on locally

Here, you configure which users are allowed to log on to the server locally (i.e., directly at the console) and which users can connect to the server by Remote Desktop. Remote Desktop connections can also be used in the web browser if you use Windows Admin Center. The Remote Desktop menu item waits for connections and allows you to open a session.

2. Uninstalling Media Player

By default, Windows Media Player is installed on Windows Server 2019. Because this tool is not needed on production servers, it is an unnecessary function and therefore a potential vulnerability. To uninstall Media Player, run the command:

dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer /norestart

The command is also useful for deployment scripts or tools that distribute automatic settings to servers. Besides the Windows Admin Center and Server Manager, Media Player can also be uninstalled with the PowerShell command:

Disable-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer

3. Configuring LDAP Priorities and Weighting

Checking that the LDAP SRV entries are correct in the domain name system (DNS) can help you detect Active Directory (AD) issues. Correct accessibility of domain controllers (DCs) in the SRV entries is an important basis for many server-based services. You can launch the check with the fully qualified domain name (FQDN; e.g., joos.int in this example):

nslookup -type=all _ldap._tcp.dc._msdcs.joos.int

Domain controllers register multiple SRV records (Figure 2), which in turn tell clients to which DCs they should connect. If you set the priority to a high value (e.g., 1), these DCs are only addressed if no other DCs with a priority of   exist. The weighting distinguishes DCs with the same priority. A DC with a weighting of 10 is addressed more often than a DC with a weighting of 5. In other words, you can relieve the load on individual DCs by adjusting the weighting. This procedure is also useful if you want to replace a DC and reduce the number of requests on the server.

Figure 2: Checking the LDAP entries in the DNS on the command line.

The settings for weighting can be seen in the properties of the DNS record. The priority and the weighting are defined by registry entries, which can be found in the DC registry key at HKEY_LOCAL_MACHINE | SYSTEM | CurrentControlSet | Services | Netlogon | Parameters , where you enter the weighting and priority:

• "LdapSrvWeight"=dword:00000001
• "LdapSrvPriority"=dword:00000002

In most cases, you will have to create the two DWORD values again, which are enabled either after restarting the DC or after restarting the login service:

net stop NETLOGON && net start NETLOGON

To display the current values, again run the command:

nslookup -type=all _ldap._tcp.dc._msdcs.joos.int

The entries are displayed in the DNS record properties in the priority and weight fields (Figure 3).

Figure 3: The weightings of the LDAP requests are shown in the DNS properties.