SPF, DMARC, DKIM and your email

A Basic Understanding of Domain Name Services

DNS Registrars allow individuals and companies alike to purchase and hold domain names. If you own a domain name for your business, you can use it to point at servers on the internet.  For example, Apple Inc. owns the domain name apple.com. Apples web designers have built a website on the web server whose IP address is 17.142.160.59. All servers on the internet have IP (Internet Protocol) addresses, but IP addresses are too complicated to easily remember.  This is where DNS comes in. Apple uses DNS to direct customers to their web site by pointing apple.com to the ip address of their web server, the result of this is that anyone anywhere in the world who wishes to go to Apple’s website can go to apple.com and view Apple’s website without knowing or remembering the ip address of Apples web server. In the same way if you were to send an email to steve@apple.com you would be sending an email to the user “Steve” @ (at) the email server Apple specifies in their DNS records for apple.com, DNS would then route your email message to Steve’s mailbox.  If you are a business owner you might have a web page or a professional email address that uses your domain name if you do, a critical step in making sure your email works correctly and is secure is to make sure you have SPF, DMARC and DKIM DNS records for your domain name.

  • SPF is a record that determines who is allowed to send email from your email address.
  • DMARC tells email servers what you would like them to do with spoofed messages and can alert you if your email address is being spoofed/impersonated.
  • DKIM allows you to stamp the email you send with the digital equivalent of a wax seal, this allows receiving email servers to know the message they received is from you and not a spoof with a greater degree of confidence.

How will I know if SPF, DMARC & DKIM are correctly setup for my domain?

There are some tools you can use for free to help figure out if your setup correctly.

  1. Look at what mxtoolbox super tool has to say about your domain by looking up your domain name at https://mxtoolbox.com/SuperTool.aspxanything with a red X next to it is something you may want to look into.
  2. Check to see if you have SPF, DMARC and DKIM configured correctly by using the tool at globalcyberalliance.org
  3. If you’re not quite sure ask for help by clicking Contact.

The SPF record type

SPF stands for Sender Policy Framework. An SPF record allows you to specify who is allowed to send email from your domain.

The consequences of an incorrectly set up SPF:

  • Email Spoofing, anyone on the internet may be able to send email from your email address. This can pose a security risk in that you may receive phishing messages from people within your domain that look legitimate even though they are not.
  • Email Deliverability issues, when an SPF record is configured incorrectly or not configured at all, email you send may never make it to the people you’re sending it to, this can cause a communication problem.

There are 3 main types of SPF records.

“?all” for neutral result (No policy is applied to revived email messages).  In general, this is a bad configuration a neutral SPF record will allow anyone on the internet to spoof your email address, this is sometimes useful when using DMARC to report failures when migrating to a stricter SPF setting.

“~all” for soft fail, typically the SPF processor will tag the message as failed but still deliver the message (some mail servers will send these messages to spam or junk folders). Not ideal but a common configuration as in general it won’t cause deliverability problems.

“-all” messages will typically be rejected by the receiving mail server if they did not come from the sender listed in the SPF policy. This is the most desirable configuration as it prevents spoofed messages from your email domain.  When combined with DMARC and DKIM Spoofed messages should almost never be delivered and if they are you should get a report about it from DMARC and be able to prove you didn’t send the spoofed message in question.

DMARC

A long acronym that stands for: “Domain-based Message Authentication, Reporting & Conformance”

“A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.” – dmarc.org

DMARC is very useful to have. By having a DMARC you can ask email servers to send spoofed messages to spam or even not deliver them at all. The other key thing you can get with DMARC is reporting DMARC gives you the ability to find out if you are being spoofed or if someone on the internet is using email to pretend to be you!  DMARC is useful as both a mitigation and investigative tool that can be immensely helpful especially if you regularly communicate with customers using email.

DKIM

is a way for you to sign outbound messages automatically with a special seal of approval. This is the digital equivalent to a fancy wax seal on a letter.  By doing this you can prove to an email server that the message came from an authorized source. In your DMARC record you can specify what you would like mail servers to do with unsigned messages just like you can with messages that don’t meet SPF.  DKIM exists to provide extra assurance of a messages origin over what SPF can deliver and can reduce the likelihood of a message being marked as spam in some cases but is generally only taken into account if the receiving mail server is using DMARC to vet messages.  Aside from being used in conjunction with DMARC, DKIM can also be used to prove a message was a spoof.  If you have a loose SPF policy and are not using DMARC (which you really should) it may be a good idea to sign email messages using DKIM so that if someone impersonates your email address and sends a malicious email to one of your contacts, you have a way to prove (via your “wax seal”) to that person that you did not send a malicious email.  Damage might have been done but at least if you have DKIM you can point to the fact that you were innocent of sending a malicious message.

If you have now setup SPF, DMARC, and DKIM Congratulations! Your helping the world build a better more secure email communications platform if you would like help setting up a more secure or robust email system you can always contact us at the top of the page or with the contact link.

 

Advertisements

General Security Advice

I was in Starbucks the other day and overheard a local computer tech helping someone with reinstalling windows on their notebook, the tech left and I started a conversation with the notebook owner giving him some advice around making a good backup of the computer after he had finished so if something were to go wrong again he would be able to make a quick recovery next time.  That may not sound like security advice but it really is, often the act of protecting data is done to protect our time and resources. Restarting with a fresh install of windows involved paying a computer tech, more than a few hours of his time and potential loss of data, if he had a backup of his new computer he would not have had to spend time in Starbucks, spend his money on the time of the computer tech or no doubt spend time in the future getting all of his programs and settings configured again.

Security is the art of protecting assets or knowledge in such a way that the “Cost” of destroying, disrupting, or disappearing them is insurmountably high. The “Cost” of attack is equal to the amount of either negligence or effort that you or an attacker must take to destroy, disrupt, or disappear the protected asset.  Realistically if someone is able pay the “Cost” in time or money to conduct the attack they can compromise your security.

The following is the collection of advice I wish I could have also given him but just did not have the time to, this is also advice I give to family members, coworkers, and people like you who stumble across my website and in general will increase the “Cost” of an attack.

A. Securing The Online Accounts 

  1. Use a password manager and avoid reusing passwords across sites like the plague, side not it is the plague.  Lastpass is a great starting point don’t forget your master password.  If you don’t like the idea of storing your passwords online keepass is a good option, so is password safe by Bruce Schneier.
  2. Enable 2nd factor authentication on all your accounts including your password manager if your using an online one.
  3. Setup haveibeenpwned.com for the email account/s you use.
  4. Recognize the human error factor, humans make mistakes, when your using the web make sure your using an adblocker to avoid malicious advertisements that might lead you to a spoofed site.  Ublock origin is great for this.  Using a 3rd party DNS is also a great help using quad9 or OpenDNS Greatly increases your security at no cost and is fairly easy to setup.

B. Securing The Personal Computer

  1. Don’t use an admin account for every day computing this applies to macOS, Linux and Windows no exceptions.  Follow the Principle of least privilege.
  2. Data security is just as important as account security in most cases, having backups is the best way to secure your data from accidental deletion, corruption, and ransomware. Veeam endpoint free is free and does a great job backing up your entire system.
  3. Run a up to date version of your operating system and ensure you have security updates installed.
  4. Nuke and Pave, if your system has been compromised it truly is the only way to be sure your safe again.  Make sure you have a good backup, erase the internal disk, and reinstall your operating system.

A note on Antivirus Software: I did not mention antivirus here for the reason that consumer grade antivirus systems seem to change like the wind lately.  In general if your looking for an antivirus system I would recommend looking at reviews from IT people as they will spend a lot more time than you can imagine looking at antivirus solutions for their respective companies.  Nearing the end of 2017 I have begun to see a rise in malware that exploits antivirus systems to compromise the systems they were designed to protect, in general your best antivirus option is having an up to date computer with the most recent security patches installed and following best practices B.1 is your best bet.

C. Securing The Data

  1. 3-2-1 Backups,  If your data is not following 3-2-1 backups your data does not exist and likely wont be recoverable if you loose it.
  2. If your storing sensitive data in the cloud use some form of “pre-internet encryption” for windows and mac and Linux veracrypt is probably the golden standard but there are other encryption tools even having a encrypted zip file is better than nothing.  Note: password protected and encrypted are different things know the difference and use the right one.
  3. If its unimportant data back it up, if its important data back it up again.  The number 1 reason important data cant be restored is that someone didn’t think it was important.  If you backup everything all the time this is an easy pitfall to avoid.

D. Securing The Network

  1. If your router can be found at routerpwn.com consider getting a different router or looking for firmware updates the fix the issue listed, if your router does not have firmware updates or a fix then get a different router.
  2. Take a look at what GRC’s ShieldsUP! has to say, if your router has open ports make sure you have NAT enabled on your router. The best option to avoid any conflict is to simply not be there “Stealth” is what you want from the ShieldsUP! test.
  3. If you have internet of things devices on your network use the 3 Dumb Routers method to separate out your network.
  4. If you have WiFi make sure your using a good password, only use WPA2 or greater authentication and disable WPS if possible.
  5. Use a 3rd party DNS server on your router quad9 or OpenDNS are good options to find out what DNS server is the quickest around you run the DNS Name Speed Benchmark at GRC.com
  6. If you don’t require devices in your wireless network to talk to each other (this is rare) or have particular devices that don’t need to talk to other devices for any reason consider putting those devices on your guest network.

E. Securing the Human

This is the hardest part, even if you have done everything else correctly we are only human and are going to mess something up. Securing the human part of the system comes down to checking yourself as you use computer systems. There are a lot of moving parts to this but in general the following are true and if followed will make you less vulnerable.

  1. Always Go to the Source, if you receive a phone call from your bank and they want to verify your social security number over the phone just hang up, Google your banks phone number (or look on the back of your debit card) and call them back.  If it was them then your good to go, if it was not them that called you congratulations you have just evaded an attack. The same applies to handling phishing messages, a common one we see is a message warning someone that their email mailbox is out of space and to click a link to give them more space, if you click the link it then prompts you to login to your cloud email, if you do your account will be compromised because you are giving the attackers your login information. The right thing to do is ask your email admin if you are running out of space or login on the web and look to see if you are running out of space by going to the source almost all phishing attacks are thwarted.  This also applies to software, is a website telling you that you need to install flash? Guess what? don’t click the link! Go to a place you know uses flash and see if you actually do need it, odds are you don’t (side note: flash is evil you don’t need it and its disabled by default almost everywhere now)
  2. TNO, Trust No One. Criminals don’t target computer systems they target people and they target them because they want something. Be cautious about giving out information and being given information. Don’t trust till you have gone to the source.  TNO is also a good philosophy around systems as well, good systems and services don’t require you to have any trust in the people running them for your data to be safe, for example tarsnap is a great backup system it accomplishes TNO by allowing you to download and compile the tarsnap backup application from the source code, and set your own encryption keys because data is encrypted before it leaves your system and since you can verify that the application doing the encryption and then uploading of data you don’t have to trust the developers who wrote the code.
  3. If its too good to be true… (you know the rest of this one, your mother told you, my mother told me, the attackers mother told him we all know this.) SPOILER ALERT: it isThere is no Indian prince willing his inheritance to you, there is no free iPad you won, and there is always a mass phishing campaign in the works run by smart people who are looking to make you the sucker.  Think about the cost how much it cost you to send an email. Right… if it only cost them a couple minutes of their time  cheat you out of the money in your bank account guess what they are going to try to do. The bigger piece is that the way phishing works is that its not couple minutes of their time per person phished, its a couple minutes per millions, its an automated system, a service even and its target is not you… its target is everyone.

Resource List

Final Thoughts: We live in a world now where hackers are driving the cost of attacking systems down by having systems and automation do the attacks for them.  Microsoft said it best I think “Eternal vigilance is the price of security”.

Setup Samba on CentOS-7 (on LXD)

Previously I had written an article about setting up a file server using FreeBSD and Samba I still think that FreeBSD is a great choice for a file server. That said I am now using LXC and LXD containers on Ubuntu and samba works very much the same way on CentOS-7 which I can run as a container on Ubuntu to get a very similar result. Setting Samba up on a base CentOS-7 install should work much the same way if you have a CentOS-7 server you can skip the Container Stuff.

I am assuming that your starting point is an up to date Ubuntu 16.04 server.

Networking Setup
for this use case we are assuming that our system is on a local network (not internet exposed) We want our container to have a LAN IP so that other computers on our LAN can talk to it there are a couple different ways to set this up. The way that I have found to be the easiest in my case has been to change the default container profile so that the nictype of the containers is set to macvlan.

run ifconfig which should give you something like this

ifconfig

enp0s25   Link encap:Ethernet  HWaddr d0:50:99:79:98:dd
          inet addr:192.168.88.2  Bcast:192.168.88.255  Mask:255.255.255.0
          inet6 addr: fe80::d250:99ff:fe79:98dd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1354182 errors:0 dropped:132 overruns:0 frame:0
          TX packets:704181 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1724747998 (1.7 GB)  TX bytes:598961741 (598.9 MB)
          Interrupt:20 Memory:efd00000-efd20000

You may have more adapters find the one that has the IP you ssh’d into and take note of its name in my case its enp0s25

Changing nictype to macvlan, lxc profile edit default will open the profile with nano.

Lxc profile edit default

#Change 
nictype: bridged To -> nictype: macvlan

#Change
parent: whatever To -> parent: your primary nic name (enp0s25 in my case)

Container Stuff: Build a CentOS-7 Container

lxc launch images:centos/7/amd64 smbserver

drop into the containers shell

lxc exec smbserver /bin/bash

Setting up SAMBA on CentOS-7
If your not using containers then you should be SSH’d into your server now regardless go ahead and install updates,  If you have an Active Directory environment you can also setup samba to use AD for authentication using my notes here if not continue on.

install samba

yum install samba

start samba

systemctl enable smb.service
systemctl start smb.service

Adding users (both to the system and to samba)

# adding a user with useradd (-m tells useradd to create a home directory)
useradd -m joe

# set the users password so they can login
passwd joe

# set the samba password so they can login using samba
smbpasswd -a joe

If all you wanted is for users to be able to store things in their home folder than your done the default smb.conf configuration shares out home folders by default. if you want to create a different file share you will need to edit your smb.conf file.

vi /etc/samba/smb.conf

A basic file share for users bob, joe and the group @sysadmins

[sysadmin_share]
comment = My shared folder
path = /path to the shared folder
public = no
writable = yes
guest ok = no
valid users = joe, bob, @sysadmins

Group Setup for the sysadmins group and sysadmins share

groupadd sysadmins
mkdir /opt/sysadmins
chgrp sysadmins /opt/sysadmins
chmod -R 770 /opt/sysadmins
sudo usermod -a -G sysadmins jeff

Now all that’s left to do is go to a client system and try to access the share.

Replacing Windows file servers with CentOS7, SSSD, and Samba

This is very much still a work in progress.

These are some misc notes on how I’v gotten CentOS to host smb shares over the network and use active directory to authenticate users to them.

Before going any further get yourself a CentOS minimal install on whatever system you plan on using for your file server run updates and configure networking (give your VM/Container/Server a hostname that makes sense) grab a cup of coffee and open your favorite terminal emulator/ssh client, login and su yourself to root.

Disable selinux by setting SELINUX=disabled in /etc/sysconfig/selinux

vi /etc/sysconfig/selinux
SELINUX=disabled

If you want to keep selinux enabled you’ll have to run 

chcon -t samba_share_t /your_smb_share_dir

on every share you make. 

Install Samba and its friends

yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp

Make sure samba can talk threw the firewall

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

setup system time

systemctl enable ntpd.service
ntpdate yourdomaincontroller.yourdomain.tld
systemctl start ntpd.service

Some have noted that in order for things to work right you might need to add your DC as a server entry to /etc/ntp.conf, I have not yet needed to do this.

CentOS meet Windows active directory

realm join --user=domainadmin@yourdomain.tld yourdomain.tld

Confirm that things went well and CentOS is joined to AD

realm list

If everything went well you should see the output that lists your domain you can now use your favorite terminal emulator to ssh into your centos using your AD login, it should look something like this

ssh austin.janey@mydomain.com@your_centos_server

If that worked your good to go, if not google is your friend

Before the nextstep you will need to login to one of your domain controllers and create a security group you’ll specify in your samba config members of this AD group will be able to access the files in the file share specified.

Configuring Samba to play well with windows file sharing
time to edit /etc/samba/smb.conf

sudo vi /etc/samba/smb.conf
[global]
workgroup = MYACTIVEDIRECTORYDOMAIN
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = MYDOMAIN.LOCAL

# in my test network I could not get AD authentication for smb shares to work 
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab

# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info

# log files split per-machine:
log file = /var/log/samba/log.%m

# enable the following line to debug:
# log level =3
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Not interested in printers
load printers = no
cups options = raw

# This stops an annoying message from appearing in logs
printcap name = /dev/null

# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb 
# shares from this server over the network.

[home directory]
comment = My shared folder
path = /home
public = no
writable = yes
guest ok = no
valid users = @"agroup@youraddomain.tld"

Make sure Samba is enabled

systemctl enable smb.service
systemctl start smb.service

Now that samba is setup to share /home you’ll need to edit permissions on /home so users can access their home folders, its also worth noting that in order for those home folders to be created you may need to su to them so the home folder is created or have another way to automatically create their home folders with the correct permissions.

chown root:adgroupyoumade@yourdomain.tld /home

This next part I feel could be tightened up permissions wise, in ubuntu the default permission for home is 755, in CentOS it seems to be 700 by default.

chmod 775 /home

After configuring my CentOS install and setting up samba to share out home folders this way my permissions look like

drwxrwxr-x.   6 root domain users@mydomain.com  177 Oct 11 14:33 home
drwx------   3 austin.janey@mydomain.com   domain users@mydomain.com   215 Oct 11 17:05 austin.janey@mydomain.com

If your concerned about the file permissions on a root directory being messed with its likely you have bigger issues. Since what samba is sharing is only modifiable by the owner this seems ok to me, this is not a server out on the internet it should be behind a firewall and being accessed by your users via a VPN or over the internal LAN. As such we are not hardening this server its in a trusted zone and if we really want to protect access we should do that with something like ZeroTier One.

All thats left to do is test, from your ssh session as root on your CentOS7 server log in as an ad user, this will create a home folder for them.

su someadname@yourdomain.tld

Then try and hit that smb share over the network if all went well you should see a home folder named the full AD username your domain and all, youll be able to see other network home folders as well but not access them, samba wont let you (which is perfect)

Something I’v not yet figured out is how to stop someone who’s authenticated from being able to write anything to the /home folder, I suspect that it has something to do with chmod 775 /home

This guide is my notes with some modifications that worked for me in my environment to get things working for me I found the guide at hexblot very helpful and some of the commands are direct copy and paste from their guide the credit for this post goes to them. http://www.hexblot.com/blog/centos-7-active-directory-and-samba

Backing up User Homes on Windows with Powershell

If you want to backup an entire windows system Veeam Endpoint free is your best friend, but if you want to Backup only the users actual data (their home folder) your options are a bit more limited there are lots of programs that do this but sometimes installing yet another program on a computer to do something seemingly small as this just seems redundant, for things like that scripts are awesome.

I wrote a quick script that works for me to do this, Robocopy is a great built in tool for windows that allows you to generate a report of what successfully copied.  The way I’v used it is to make a copy of a users home folder and copy it to an external source that that user has access to.  This script does not require admin rights and runs as the user which allows it to be run as a startup script and is super versatile.

### Azulpine User Home Folder Backup Script
### Changes in this version: target of backups was changed so that the backups now point to the users home directory
### Created by Austin Janey on 6/13/17
### This script is designed to backup the users home folder on logon and send the logs of the backup job to the backup location's log folder.

### Creating the file in the users shared folder so that we have a place to dump the log files
mkdir \\someDFSnamespaceorserver.com\DATA\U\$env:UserName\Backup
mkdir \\someDFSnamespaceorserver.com\DATA\U\$env:UserName\Backup\logs

### Editing this determines what is backed up
robocopy "C:\Users\$env:UserName" "\\somedfsnamespaceorserver.com\DATA\U\$env:UserName\Backup" /E /XA:SH /XD /log:\\someDFSnamespaceorserver.com\DATA\U\$env:UserName\Backup\logs\newlogfile.txt "Appdata" "My Music" "PrintHood" "MY Pictures" "My Documents" "Recent" "Searches" "Saved Games" "Templates" "SendTo" "NetHood" "Local Settings" "My Videos" "Cookies" "Application Data" "Dropbox" "Start Menu" /XF /R:1 /W:5 *.pst *.vir *.js *.jar *.jse *.lnk *.LOG1 *.exe *.msi *.DAT

### Timestamps the log file produced by robocopy by renaming it with the timestamp
Rename-Item \\someDFSnamespaceorserver.com\DATA\U\$env:UserName\Backup\logs\newlogfile.txt "$env:UserName-$((get-date).toString('backup_dd-MM-yyyy')).txt"

### moves the log to the logs folder in the U drive
Move-Item \\someDFSnamespaceorserver.com\DATA\U\$env:UserName\Backup\logs\"$env:UserName-$((get-date).toString('backup_dd-MM-yyyy')).txt" \\someDFSnamespaceorserver.com\DATA\U\logs

Hashing Files

File hashes are awesome,

A hash is a one way algorithm that when data is put into spits out changed data.

Hash rules…
1. Hashes are one way, you cant feasibly take a hash and convert it back into what it was before it got hashed.
2. A hash will always give you the same length of characters as a result if you hash a 1TB file with MD5 it will spit out 32 characters, if you hash a single letter string it will still give you 32 characters.
3. Hashes are not fool proof, it is possible that 2 files could have the same hash but it is extremely unlikely.
4. Changing any part of a file will result in a completely different file hash, if you change 1 byte of a 1PB file it will give you a completely different set of 32 characters.

So with that being said hashing a file is a great way to…
– figure out if the file you downloaded is identical the file the server on the other end of the connection was trying to send you.
– find out if a file has changed over time (assuming that you had a hash of it).

getting a hash, There are lots of different types of hashes one can get, MD5 is very common for file verification and although one could argue that its not cryptographically strong as it once was forging a file to get an identical hash is still beyond the capabilities of anyone on earth.

Some of the tools hosted here and on other sites have hashes those hashes may be MD5 or SHA1 by confirming the hash after downloading the file you can be reasonably certain that you have a bit for bit copy of the original which can help diagnose issues with installers or verify the security of the linux ISO you downloaded, keep in mind if a site is compromised that the attacker could easily upload his own file and hash in which case the hash would match the new malicious file.  It is best to google the hash string after hashing the file to see if any mirrors or other people have gotten it before you. somebody may have found that a certain hash is malicious.  In some cases verifying the hash of the file over time is useful and if your lucky the wayback machine can help with that.

Powershell: Get-FileHash pathtofile -Algorithm MD5

Screen Shot 2017-04-27 at 10.08.45 AM.png

Bash: MD5 pathtofile

Screen Shot 2017-04-27 at 10.14.36 AM.png

Creating a Windows 10 bootable VHDX

So Windows 10 is kind of a disaster we have known that for some time, This is a guide to make windows 10 a little bit less of a disaster by enabling your windows 10 system to boot directly from a VHDX file doing so has the fallowing advantages. Or in short it lets you make an easily transportable windows 10 image

– you get to have windows 10 in a file, easy to back up or transport to another machine.
– might make imaging systems very easy
– allows you to do seemingly risky things in windows without fear of totally bricking your OS
– would allow you to have different bootable windows files for different people or rather for different uses

disadvantages
– may not be stable, its designed for developers Microsoft recommends not using this in production.
– you wont be able to use bitlocker

So with that out of the way heres how this works

You’ll need a windows 10 iso, mount it and extract the sources file to your desktop

use the windows disk management utilities to create a blank VHDX
Note: microsoft seems to recommend making your VHDX file a static not dynamic vhdx file, I have run into some trouble booting in to dynamic files with errors about there not being enough drive space, consider yourself warned.
– initialize the vhdx file format as gpt and ntfs name it whatever you would like.
– mount your new vhdx file

open a admin powershell to the sources directory

dism /apply-image /imagefile:install.esd /index:1 /ApplyDir:vhdxdriveletter:\

Wait for windows to write all the files to the VHDX…

once thats done all that needs to be done is to add the VHDX to the boot record like so

bcdboot driveletterofmountedvhdx:\Windows

Reboot and your good to go just select your vhdx on boot, worth noting that you can edit the description of the VHDX file using this little gem the visual bccd editor