Latest Entries »

How to improve Windows DNS logging (audit and analytics):

Resources:

DNS logging (audit and analytics): https://technet.microsoft.com/en-us/library/dn800669(v=ws.11).aspx

Free tool:

http://www.networkstr.com/dnscentric/dns_log_converter

Scripts to parse DNS debug logs:

https://gallery.technet.microsoft.com/scriptcenter/Get-DNSDebugLog-Easy-ef048bdf

http://www.adamtheautomator.com/microsoft-dns-debug-log-script/

http://poshcode.org/4509

http://xianclasen.blogspot.fr/2016/01/dns-logging-in-windows-with-powershell.html

Performance considerations

DNS server performance can be affected when additional logging is enabled, however the enhanced DNS logging and diagnostics feature in Windows Server 2012 R2 and Windows Server 2016 Technical Preview is designed to have a very low impact on performance. The following sections discuss DNS server performance considerations when additional logging is enabled.

 

Prior to the introduction of DNS analytic logs, DNS debug logging was an available method to monitor DNS transactions. DNS debug logging is not the same as the enhanced DNS logging and diagnostics feature discussed in this topic. Debug logging is discussed here because it is also a tool that is available for DNS logging and diagnostics. See Using server debugging logging options for more information about DNS debug logging. The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.

 

Enhanced DNS logging and diagnostics in Windows Server 2012 R2 and later includes DNS Audit events and DNS Analytic events. DNS audit logs are enabled by default, and do not significantly affect DNS server performance. DNS analytical logs are not enabled by default, and typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. There is no apparent performance impact for query rates of 50,000 QPS and lower. However, it is always advisable to monitor DNS server performance whenever additional logging is enabled.

Securing Windows Workstations: Developing a Secure Baseline

Securing Domain Controllers to Improve Active Directory Security

 

You can manage users, sessions, processes, and terminal servers by using command-line utilities:

for w2k8/w2k8-r2: http://technet.microsoft.com/en-us/library/cc725766(WS.10).aspx

 

Command Description
Change Changes Remote Desktop Session Host (RD Session Host) server settings for logons, COM port mappings, and install mode.
Change logon Enables or disables logons from client sessions on an RD Session Host server, or displays current logon status.
Change port Lists or changes the COM port mappings to be compatible with MS-DOS applications.
Change user Changes the install mode for the RD Session Host server.
Chglogon Enables or disables logons from client sessions on an RD Session Host server, or displays current logon status.
Chgport Lists or changes the COM port mappings to be compatible with MS-DOS applications.
Chgusr Changes the install mode for the RD Session Host server.
Flattemp Enables or disables flat temporary folders.
Logoff Logs off a user from a session on an RD Session Host server and deletes the session from the server.
Msg Sends a message to a user on an RD Session Host server.
Mstsc Creates connections to RD Session Host servers or other remote computers.
Qappsrv Displays a list of all RD Session Host servers on the network.
Qprocess Displays information about processes that are running on an RD Session Host server.
Query Displays information about processes, sessions, and RD Session Host servers.
Query process Displays information about processes that are running on an RD Session Host server.
Query session Displays information about sessions on an RD Session Host server.
Query termserver Displays a list of all RD Session Host servers on the network.
Query user Displays information about user sessions on an RD Session Host server.
Quser Displays information about user sessions on an RD Session Host server.
Qwinsta Displays information about sessions on an RD Session Host server.
Rdpsign Enables you to digitally sign a Remote Desktop Protocol (.rdp) file.
Reset session Enables you to reset (delete) a session on an RD Session Host server.
Rwinsta Enables you to reset (delete) a session on an RD Session Host server.
Shadow Enables you to remotely control an active session of another user on an RD Session Host server.
Tscon Connects to another session on an RD Session Host server.
Tsdiscon Disconnects a session from an RD Session Host server.
Tskill Ends a process running in a session on an RD Session Host server.
Tsprof Copies the Remote Desktop Services user configuration information from one user to another.

Tips and tricks:

To query and list the sessions on the remote session, you could use QUser.exe or QWinsta:

C:>QUERY USER [username | sessionname | sessionid] [/SERVER:servername]

QWinsta is little different and better. It has more features and options. It comes with all flavors of Windows:

C:>qwinsta /?
Display information about Terminal Sessions.

QUERY SESSION [sessionname | username | sessionid]
[/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER]

Logoff command kicks off (logging off) the specified remote session:

C:>logoff /?
Terminates a session.

LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V]

RWinsta has same parameters and does same thing as log off command. It simply means Reset WINdows STAtion:

C:>RWinsta /?
Reset the session subsytem hardware and software to known initial values.

RESET SESSION {sessionname | sessionid} [/SERVER:servername] [/V]

 

 

Suricata IDS: https://suricata-ids.org/

Snort IDS: https://www.snort.org/

Vulnerability mgmt:

https://www.rapid7.com/

https://www.tenable.com/products/nessus-vulnerability-scanner

 

 

 

 

Resources:

SQL Server performance: http://wp.me/p15Zft-8h

SQL Server Video archive: https://technet.microsoft.com/en-us/dn912438

Database tasks: https://technet.microsoft.com/en-us/library/ms165730(v=sql.105).aspx

T-SQL reference: https://technet.microsoft.com/en-us/library/ms189826(v=sql.90).aspx

SQL performance and troubleshooting: http://sqlnexus.codeplex.com/

Microsoft companion (MOC): http://www.microsoft.com/en-us/learning/companion-moc.aspx

Web sites:

Tips and tricks:

PowerShell: import-module SQLPS

Placement of tempdb in a dedicated disk (Raid 1) ,  same for log files  (RAID 1 or 10) and database files (RAID 5). Also dedicated disk for OS and dedicated disk for SQL server binaries.

Do a dbcc checkdb before each database backup

Use Buffer pool extension

Enable security: create logins, server roles, then for db: create users, database roles, database perms

Privileged the Microsoft service accounts (MSA) to run the SQL services.

Enable SQL audit

Enable DML triggers  (enable logons trigger)

Use SQL profile (but heavy in terms of performance). Else prefer to use (T-SQL) SQL trace (light footprint if well-designed).

Design a backup and restore strategy:

  • To backup: backup full + backup differential + backup transaction log + backup tail_log
  • To restore: restore first the full (with norecovery) + the last differential (with norecovery) + the latest transaction log (with recovery option) and eventually the latest Tail_log (if possible)
  • don’t forget to backup the tail log before to start a restore sequence
  • preferably use “backup device” which contains the full,differential,logs. Then you can backup the “backup device” using the OS backup software (Windows backup, Tivoli SM, Veritas Netbackup…)

Define maintenance plans:

– separate the maintenance plans to backup the system databases from the other databases (include also the check database integrity “dbcc checkdb” before each backup sequence)

– separate the maintenance plans to backup a Application Database from a maintenance plan to check only the Database health: check database integrity, reorganize indexes, update statistics.

 

 

 

 

 

 

How to change the local NIC adapter on Windows 7 or greater, from Public network to Private network, using powershell:

To get NIC settings:

PS C:\windows\system32> get-netconnectionprofile
Name             : computer1.domainlocal.net
InterfaceAlias   : vEthernet (Connexion Ethernet Intel(R) I217-LM – Virtual
                   Switch)
InterfaceIndex   : 17
NetworkCategory  : Public
IPv4Connectivity : Internet
IPv6Connectivity : LocalNetwork

To change the NIC settings to be in private mode:

PS C:\windows\system32> set-netconnectionprofile -InterfaceIndex 17 -NetworkCategory Private

Here is a script to dump the AD extended rights:

AD is mission critical for most of the enterprises today. Here is an article to explain how to dump the AD extended rights applied to AD objects, in order to audit the results to identity persistent threats or persistent hackers gaining control of AD.

Other resources:

To list all the extended rights available for delegation in Active Directory: https://technet.microsoft.com/en-us/library/ff405676.aspx

BTA opensource tool from “Airbus industry”: https://www.information-security.fr/audit-lactive-directory-bta/

https://www.ssi.gouv.fr/uploads/IMG/pdf/Lucas_Bouillot_et_Emmanuel_Gras_-_Chemins_de_controle_Active_Directory.pdf

 

Script:

Function DumpExtendedRight([Microsoft.ActiveDirectory.Management.ADObject] $adobject){
Foreach($access in $adobject.ntsecurityDescriptor.access){
# Ignore well known and normal permissions
if ($access.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Deny) { continue }
if ($access.IdentityReference -eq “NT AUTHORITY\SYSTEM”) { continue }
if ($access.IdentityReference -eq “NT AUTHORITY\SELF”) { continue }
if ($access.IsInherited) { continue }

# Check extended right
if ($access.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight){
$right = “”;
# This is the list of dangerous extended attributs
# see : https://technet.microsoft.com/en-us/library/ff405676.aspx
switch ($access.ObjectType){
“00299570-246d-11d0-a768-00aa006e0529” {$right = “User-Force-Change-Password”}
“45ec5156-db7e-47bb-b53f-dbeb2d03c40” {$right = “Reanimate-Tombstones”}
“bf9679c0-0de6-11d0-a285-00aa003049e2” {$right = “Self-Membership”}
“ba33815a-4f93-4c76-87f3-57574bff8109” {$right = “Manage-SID-History”}
“1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” {$right = “DS-Replication-Get-Changes-All”}
} # End switch

if ($right -ne “”){
‘$($access.IdentityReference) can act on the permission of $($adobject.name) ($($adobject.DistinguishedName)) with extended right: $right’
} # Endif
} # Endif
} # End Foreach
} # End Function

##MAIN

$Allobjects  = Get-ADObject -Server $dc -Searchbase $rootou -SearchScope subtree -LDAPFilter “(&(objectclass=user)(objectcategory=person))” -Properties ntSecurityDescriptor -ResultSetSize $null
Foreach ($Adobject in $Allobjects){
DumpExtendedRight $Adobject

} # End Foreach

# End of Script

 

 

With my business laptop running Windows 10 enterprise, I experienced a problem with a START Menu not working, Cortana not working. After googling I found this method which works fine in my case:

Before you proceed, you may want to create a system restore point first, so that you can revert back, if you find that the results are not what you expected.

1) Run the following command in an elevated command prompt, to run the System File Checker.

sfc /scannow

Restart after the scan is over and see if it helped.

2) Repair Windows Image. Open an elevated CMD copy-paste the following and hit Enter

Dism /Online /Cleanup-Image /RestoreHealth

Restart after the scan is over and see if it helped.

3) Make Start full screen and back. Enable Tablet Mode and Start Screen and then go back. See if this toggling has helped.

4) Use the Windows 10 Start Menu Troubleshooter from Microsoft.

5) Open an elevated PowerShell window.

NOTE: After the November Update, if you use this method  to fix this problem using the Appx PowerShell cmdlet, it may break your Windows Store apps. But if you have installed Windows 10 Anniversary Update, it is working now.

To open an elevated PowerShell prompt, type PowerShell in taskbar Search, and in the result ‘Windows Powershell’ which appears, right-click and select Run as administrator.

Type the following and press Enter:

Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Also rename the c:\users\<>\AppData\Local\TileDataLayer dirctory to  go to c:\users\<>\AppData\Local\TileDataLayer_old

NOTE: after correction remove the _old directory

6) If Cortana or Taskbar search is not working, open Task Manager > File menu > Run new task. Type powershell and select the Create this task with administrative privileges check box and click OK. See this post if your Taskbar is not working in Windows 10.

When you try to start the Windows 10 update assistant on a Windows 10 Enterprise; the tool is stopping at the beginning during the check up of the operating system.

To upgrade to the Windows 10 build 1607 (also called anniversary update !), go to the MVLS web site (the Microsoft Volume Licensing web site) and download the latest Windows 10 enterprise version. Boot on the DVD or USB containing this new version and perform a UPGRADE.

Else

I found another solution that actually works for Windows 10 Enterprise without the need to have an account on MVLS to download the new ISO file. First of all make sure you have a backup of your DATA. Then follow these steps below:
1.Open regedit.exe and navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion
2.Change ProductName to Windows 10 Professional
3.Change EditionID to Professional
4.Navigate now to HKLM\Software\Wow6432Node\Microsoft\Wind­ows NT\CurrentVersion
5.Change ProductName to Windows 10 Professional
6.Change EditionID to Professional
7.Close regedit.exe (no need to restart)
8.Start the Windows 10 Pro installation from your installation media. (Download the Media Creation tool from Microsoft – http://go.microsoft.com/fwlink/?LinkId=691209 or https://www.microsoft.com/en-gb/software-download/windows10 and click on the Download Tool now)
9.Do the upgrade, will download and install, keep all files & settings.
10.Will reboot several times, once finished, log back in with your Microsoft Account and it will automatically link your enterprise key to the install and you will be back on Enterprise Edition and have Build 1607 installed.