Latest Entries »

Source: http://thehackernews.com/2017/07/windows-10-ubuntu-linux.html

Windows and Linux in the same line? Yes, you heard that right… and that too, on the same computer and within the same operating system.

Two months ago, Microsoft announced its plans to let its users install three different flavours of the Linux operating system – Ubuntu, Fedora, and SUSE – directly through their Windows Store, allowing them to run Windows and Linux apps side-by-side.

Now, downloading an entire operating system has just become as easy as downloading an application with the availability of popular Linux distro ‘Ubuntu’ in the Windows App Store.

However, unlike a conventional Ubuntu installation, this Ubuntu version runs in a sandboxed alongside Windows 10 with limited interaction with the operating system and is focused on running regular command-line utilities like bash or SSH as a standalone installation through an Ubuntu Terminal.

For now, Ubuntu is currently only available to Windows 10 Insiders users and would be made available to the public with the upcoming Windows 10 Fall Creator Update, which is expected to release in September/October 2017.

Here’s How to Install and Run Ubuntu on Windows 10

Users registered in Windows 10 Insiders Program with at least “Build 16215” installed can directly install Ubuntu from the Windows Store, which will allow them to “use Ubuntu Terminal and run Ubuntu command line utilities including bash, ssh, git, apt and many more.”

After installing Ubuntu, Windows 10 users will require enabling “Windows Subsystem for Linux” that was previously added to Windows 10.

Symptome:

“iPhone désactivé : Se connecter à iTunes” avec l’option d’appel d’urgence ainsi qu’indiqué : “SIM verrouillée” en haut à gauche de l’écran

Mode DFU:
– Eteint l’iPhone et branchez le sur le pc avec iTunes ouvert
– Appuyez pendant 10 secs sur les boutons Power & Home
– Après 10 sec relâchez juste le bouton Power mais restez appuyer sur le bouton Home encore
– Il sera détecté dans moins de 15 sec par iTunes en mode restauration
– Restaurez le avec la nouvelle version d’iPhone

Description

Today AD FS is made highly available by setting up an AD FS farm. Some organizations would like a way to have a single server AD FS deployment, eliminating the need for multiple AD FS servers and network load balancing infrastructure, while still having some assurance that service can be restored quickly if there is a problem. The new AD FS Rapid Restore tool provides a way to restore AD FS data without requiring a full backup and restore of the operating system or system state. You can use the new tool to export AD FS configuration either to Azure or to an on-premises location. Then you can apply the exported data to a fresh AD FS installation, re-creating or duplicating the AD FS environment.

Scenarios

The AD FS Rapid Restore tool can be used in the following scenarios:
1.Quickly restore AD FS functionality after a problem•Use the tool to create a cold standby installation of AD FS that can be quickly deployed in place of the online AD FS server

2.Deploy identical test and production environments•Use the tool to quickly create an accurate copy of the production AD FS in a test environment, or to quickly deploy a validated test configuration to production

What is backed up

The tool backs up the following AD FS configuration
•AD FS configuration database (SQL or WID)
•Configuration file (located in AD FS folder)
•Automatically generated token signing and decrypting certificates and private keys (from the Active Directory DKM container)
•SSL certificate and any externally enrolled certificates (token signing, token decryption and service communication) and corresponding private keys (note: private keys must be exportable and the user running the script must have permissions to access them)
•A list of the custom authentication providers, attribute stores, and local claims provider trusts that are installed.

Download and usage

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool

 

Problem description, security issue?

When i log on to my Adfs link below https://sts.mydomain.com/adfs/ls/idpinitiatedsignon.aspx

It showing two of my replying parties asking me sign in.

I have up to 8 other applications i am federating but they are not showing up on this link.

Is this Normal? If its not, how can i remove it? Is this something my relying partner has to fix?

 

Solution:

Do not disable the /adfs/ls endpoint from ADFS management snap-in.

Ask to the application provider (SP) to use WS-Fed and not SAML; using WS-Fed (like MS online 365 RP) will not show the list of RP trusts.

As long as your Relying Party trust has a SAML Assertion Consumer Endpoint, it will show up in the list of RP available for IDP initiated logon.

You can check if you have such endpoints in the graphical interface, or in PowerShell:
(Get-AdfsRelyingPartyTrust -Identifier “<ID of your RP>”).SamlEndpoints

In Windows Server 2012 R2, you cannot not disclose the information. You can use a JavaScript to hide it from the users, but the info will still be available in the code (if the users are curious and look at the HTML source, they will see them). If this is acceptable for you, you can go ahead and create a custom JavaScript for that. I can provide a sample if you want to, but the info is essentially there: https://technet.microsoft.com/en-us/library/dn636121.aspx and on the Internet.

Note that ADFS on Windows Server 2016 changed that behavior and the IdpInitiatedSignon page is not enabled by default. Although once enabled, you still need the JavaScript to hide the list or a part of the list.

This is normal. The Relying Party Trusts showing up are the ones using the SAML Federation Protocol since that protocol has a ‘feature’ called IdP Initiated Sign On where the user can first be authenticated by your ADFS and then choose which of these Relying Party Trusts/Service Providers they want to access (by having ADFS issue them a SAML Token) and POST/Redirect the browser to that Relying Party Trust/Service Provider.

Do note that just because a Relying Party Trust/Service Provider is listed doesn’t automatically mean that they actually DO support IdP Initiated Sign In. Some Service Providers using the SAML Protocol might only accept Service Provider Initiated Sign In.

I’ve hidden this list on my ADFS 2.0 Proxies for un-authenticated users (but not on our ADFS 3.0 WAPs yet).

In ADFS 2.0 edit C:\inetpub\adfs\ls\IdpInitiatedSignOn by adding SetRpListState(null, null);

You can’t disable the page on Windows Server 2012 R2. You can hide the list in JavaScript onload.js:
var checkidp_OtherRpPanel = document.getElementById(‘idp_OtherRpPanel’) ;
if ( checkidp_OtherRpPanel ) {
checkidp_OtherRpPanel.style.display = ‘none’ ;
}

You’ll find the guidance on how to modify the default JavaScript of the page there:

Customizing the ADFS 3.0 Sign-in page:

Credit/Source:

https://social.technet.microsoft.com/Forums/windows/en-US/5f3787ec-a1a6-44de-93ca-12be341506db/relying-party-showing-up-in-idpinitiatedsignonaspx?forum=ADFS

AD 2016 what are the news?

https://adsecurity.org/?p=3646

What’s new in ADFS 2016?

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server-2016?f=255&MSPPError=-2147217396

  • Eliminate Passwords from the Extranet
  • Sign in with Azure Multi-factor Authentication
  • Password-less Access from Compliant Devices
  • Sign in with Microsoft Passport
  • Secure Access to Applications
  • Better Sign in experience
  • Manageability and Operational Enhancements

 

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario. Also another upgrade procedure:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016

 

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 1

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 2

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 3 – Azure MFA Integration

 

ADFS 2016 operations

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-2016-operations

ADFS 2016 deployment

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-deployment

ADFS 2016 design

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide

To detect lateral movement on Windows infrastructure I recommend to collect the following events:

It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS).

Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon):
=> Collect events and send to a SIEM (splunk, logrythm …) or even Windows Event collector (WEF)

 

Disabling SMB v1 (lanmanserver “server service only”) on windows computers/servers:

Full version: https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

 

My recommendation:

a) for domain-based computers: use GPO “group policy object” to deploy the registry key to disable SMBv1 (server-side only) protocol on all systems (A reboot is required to take effect)

 

b) for isolated computer or non/domain joined computers: use the following command line to modify the lanmanserver registry key properly

 

Implementation – Technical details:

 

a) for domain-based computers, create a GPO or modify an existing GPO applied to computers only, to add the following registry key:

 

for domain-based computers, to create the GPO setting to disable SMB v1, use GPMC, Computer configuration, preferences, windows settings, registry, right-click, new registry item,

 

keep: Update,

Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

 

Value: SMB1

Data: REG_DWORD 0

 

Note: To re-enable it

REG_DWORD: 1 = Enabled

Default: 1 = Enabled

 

 

b) for isolated computer or non/domain joined computers:

 

b.1) For Windows 8 and Windows server 2012 or greater (Note: not supported on Windows 7):

To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

 

Get-SmbServerConfiguration | Select EnableSMB1Protocol

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-SmbServerConfiguration -EnableSMB1Protocol $false

 

b.2) For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

 

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server

2008, use Windows PowerShell or Registry Editor.

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-ItemProperty –Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

 

To assess the impact:

 

This article contain a table to understand what version you will end up, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server.

https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/

 

 

This article contain a table to understand what version you will end up, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server.

https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/

Analysis Technical details:

https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

 

CERT articles:

http://www.cert.ssi.gouv.fr/site/CERTFR-2017-ALE-010.pdf

https://www.us-cert.gov/ncas/alerts/TA17-132A

https://kc.mcafee.com/corporate/index?page=content&id=KB89335

 

Attaching the latest recommendations by Microsoft:

Customer Guidance for WannaCrypt attacks:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

WannaCrypt ransomware worm targets out-of-date systems:

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

 

A patch that was released in March protects your organization from “WannaCry” and similar variants, you should immediately deploy it if you haven’t: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

“Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003”