Mar
15
2013
In order to control what processes are running on your clients you can use the Software Restriction Policies or tools like Applocker or Bit9. You can also increase the security of you system on the allowed processes by enabling some mitigations like DEP, ASLR, SEHOP… We will describe in this post how to use EMET: A tool provided by Microsoft which allows you to configure these features. By protecting the processes running on your computer with these features you can even be protected against some 0-day exploits.
Read more »
Jul
28
2011
In this post we will discuss some issues we had when using Microsoft Management Consoles to manage DNS (dnsmgmt.msc), Group Policy Objects (rsop.msc, gpmc.msc) and AD accounts (dsa.msc). No, we don’t use just powershell or command line tools to manage a Microsoft infrastructure: We click a lot 🙂
Read more »
May
09
2010
We will describe in this post how to secure your autologon workstations. Those PCs are accessed by everyone inside your company because no account and password are required to login.This is why you need to work out how to secure them.
The autologon workstation uses a service user account to open a windows session, the most obvious way to set up an autologon on a workstation is to edit registry keys. This method is not secure because the account credentials appear in clear text in the registry, meaning that the account can easily be used for other purpose.
Read more »
Apr
18
2010
The title of this post seems a bit contradictory, the use of generic accounts in your domain should be limited to the minimum. Access to your domain ressources should be done with nominative accounts when possible, that’s why you want to avoid generic accouns use. However for political or historical reasons a department of your company might use this type of accounts to access some applications or log on some computers. This account is used by several persons, accordingly the password does not remain secret and across many departments, non-authorized persons might know it and use it for other purposes. If you set up a classic change password policy for this account, then when the password expires, a single person will change it and will probably not notify other users that are entitled to use the account of the new password. That’s why generic accounts are generally flagged “the password never expires”, which is an obvious lack of security. We will demonstrate in this post how to set up an automatic system that will change the password and notify users entitled to use the account.
Read more »
Apr
07
2010
You can track GPO links changes by analyzing the security eventlog, GPO links will give you information on which objects your GPO is applied to. We will monitor GPLink attribute changes.
In order to analyze in real time the security log of all your DCs you need to pay for a Syslog solution, like Snare or Kiwi. Or you can try to setup an eventlog forwarding solution if you are under Windows 2008, you can also try to run a script that catches security log events, but you might encounter some performance issues.
Read more »
Mar
31
2010
We will explain in this post how to monitor GPO changes by tracking modifications on the GPT. Only deletion, computer/user configuration modification and creation can be overlooked. About GPO monitoring you can read this article,which shows you how to activate auditing on your Sysvol share \\domainname\sysvol\domainfqdn\Policies and retrieve GPO changes via the eventlog. We will use another method, taking advantage of the replication of this folder.
Read more »
Mar
18
2010
On this post we will describe how to do a spring clean on your active directory database file ntds.dit.
The first step will be to search for stale objects in your domain, if after collecting those objects you don’t find many of them, do not hope to gain some space on your database. For example the size of a user object is at the minimum 4Ko, the size may vary depending on the number of attributes the account has. Check this article for more information on objects size.
Read more »
Mar
14
2010
When you perform a complete domain or forest recovery, after you have restored the first DC system state, you have to cleanup metadata of the DCs on which you will reinstall AD using a DCPromo. For more information about disaster recovery plans I suggest you read this document.
On a Windows 2008 server when you delete the DC computer object, server object removal (cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain) and metadata cleanup are performed automatically. On a Windows 2003 server you need to use the ntdsutil command line tool and delete the server object manually. This post describes how to set up a semi automated process to perform these steps.
Read more »
Mar
12
2010
Here is an application for your helpdesk that collects data about the user environment which can be useful for troubleshooting, It was developed using WMI code creator was really useful for coding this application.
Just click on the icon bellow to download the tool, if you notice any bugs and have any ideas for tool evolution, please do not hesitate to contact me.
Read more »
Mar
07
2010
If lsass process consumes too much CPU time on your domain controller the cause might be clients infected by Conficker. The link to the KB article discusses how to prevent its propagation and how to remove the worm. The purpose of this post is to identify infected clients which cause this lsass.exe overconsumption easily.
This topic was already discussed in a post of AskDS, I’ll add a few comments and scripts which will help you to eradicate the virus on your workstations.
Read more »