Latest Entries »

IT Self-trainings

IT pro TV: https://itpro.tv/course-library/

Microsoft virtual academy: https://mva.microsoft.com/

Microsoft channel9: https://channel9.msdn.com/

 

 

 

 

Advertisements

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

Concernant le déploiement des binaires : https://support.office.com/fr-fr/article/Guide-de-d%c3%a9ploiement-pour-Office-365-ProPlus-f99f8cd0-e648-4834-8f45-f5637351899d?ui=fr-FR&rs=fr-FR&ad=FR

Concernant la juxtaposition Project/Visio avec Office 365 : https://support.office.com/fr-fr/article/Guide-de-d%c3%a9ploiement-pour-Office-365-ProPlus-f99f8cd0-e648-4834-8f45-f5637351899d?ui=fr-FR&rs=fr-FR&ad=FR

https://blogs.technet.microsoft.com/windowsserver/2017/09/14/sneak-peek-4-introducing-project-honolulu-our-new-windows-server-management-experience/

 

Cool Tools for MAC

Cool tools for MAC:

dr cleaner (cleanup system)

cleanmyMac (cleanup system)

OneNote from Microsoft (postit)

Wunderlist    (task manager)

nomad.menu (active directory integration)

VLC (from videolan)

Slack

Microsoft teams (https://teams.microsoft.com/downloads)

Little snitch

Dropbox, OneDrive

The Unarchiver

 

Reference article:

https://blogs.technet.microsoft.com/applicationproxyblog/2014/08/20/web-application-proxy-powershell-cheat-sheet/

http://ms.darrenongpt.com/2015/07/remove-web-application-proxy-wap-from.html

 

Symptom:

On the current WAP server wapserver1, the WAP remote access management console display a server called server2. How to remove this server from the cluster list?

Solution:

Connect on the wapserver1, open a powershell prompt: Swpc –ConnectedServersName ((gwpc).ConnectedServersName –ne ‘server2.domain.local’)

gwpc to display the list of WAP servers.

How to bind a MAC to a Windows domain:

Third-party Tools:

Nomad    nomad.menu

Centrify   www.centrify.com

Procedures and white papers:

https://www.pluralsight.com/blog/tutorials/join-mac-to-windows-domain

Apple support articles: https://support.apple.com/kb/index?page=search&type=organic&src=support_searchbox_main&locale=en_US&q=active+directory

https://www.jamf.com/jamf-nation/discussions/23175/binding-mac-to-ad-issue

 

RDS installation and HA procedure(s):

https://www.microsoftpressstore.com/articles/article.aspx?p=2346349&seqNum=4

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-connection-broker-cluster

https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1

https://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2

https://msfreaks.wordpress.com/2013/12/26/windows-2012-r2-remote-desktop-services-part-3

https://ryanmangansitblog.com/tag/high-availability/

Technet forum: https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?forum=winserverts

 

 

 

 

Introduction:

Event forwarding (also called SUBSCRIPTIONS) is a mean to send Windows event log entries from source computers to a collector. A same computer can be a collector or a source.

There are two methods available to complete this challenge – collector initiated and source initiated:

Parameter Collector Initiated (PULL) Source Initiated (PUSH)
Socket direction (for firewall rules) Collector –> Source Collector –> Source
Initiating machine Collector Source
Authentication Type Kerberos Kerberos / Certificates

This technology uses WinRM (HTTP protocol on port TCP 5985 with WinRM 2.0) . Be careful with the Window firewall and configure it to allow WinRM incoming requests.

WinRM is the ‘server’ component and WinRS is the ‘client’ that can remotely manage the machine with WinRM configured.

Differences you should be aware of:

WinRM 1.1 (obsolete)
Vista and Server 2008
Port 80 for HTTP and Port 443 for HTTPS

WinRM 2.0
Windows 7 and Server 2008 R2, 2012 R2 …
Port 5985 for HTTP and Port 5986 for HTTPS

Reference for WEF and event forwarding:

Deploying WinRM using Group Policy: http://www.vkernel.ro/blog/how-to-enable-winrm-http-via-group-policy

Microsoft official document well documented:

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

Fresh How-to from Intrusion detection perspective:

https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f

How-to easy to follow from Intrusion detection perspective:

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

https://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html same than previous one but more appendix

From Intrusion detection perspective:

https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4 help to manage error of WEF deployment

Basic configuration:

on source computers and collector computer:  winrm quickconfig     and add the collector computer account to the local administrators group

To verify a listener has been created type winrm enumerate winrm/config/listener

WinRM Client Setup

Just to round off this quick introduction to WinRM, to delete a listener use winrm delete winrm/config/listener?address=*+Transport=HTTP

on collector computer: wecutil qc. Add the computer account of the collector computer to the Event Log Readers Group on each of the source computers

on collector computer: create a new subscription from event viewer (follow the wizard)

WinRS: WinRS (Windows Remote Shell) is the client that connects to a WinRM configured machine (as seen in the first part of this post). WinRS is pretty handy, you’ve probably used PSTools or SC for similar things in the past. Here are a few examples of what you do.

Connecting to a remote shell
winrs -r:http://hostnameofclient "cmd"
Stop / Starting remote service
winrs -r:http://hostnameofclient "net start/stop spooler"
Do a Dir on the C drive
winrs -r:http://hostnameofclient "dir c:\"

WinRS

Forwarded Event Logs:

This is configured using ‘subscribers’, which connect to WinRM enabled machines.

To configure these subscribers head over to event viewer, right click on forwarded events and select properties. Select the 2nd tab along subscriptions and press create.

This is where you’ll select the WinRM enabled machine and choose which events you would like forwarded.

Subscriptions

Right click the subscription and select show runtime status.

Error 0x80338126

Now it took me a minute or two to figure this one out. Was it a firewall issue (this gives the same error code), did I miss some configuration steps? Well no, it was something a lot more basic than that. Remember earlier on we were talking about the port changes in WinRM 1.1 to 2.0?

That’s right, I was using server 2008 R2 to set the subscriptions which automatically sets the port to 5985. The client I configured initially was server 2008 so uses version 1.1. If you right click the subscription and click properties -> advanced you’ll be able to see this. I changed this to port 80 and checked the runtime status again.

[DC2.domain.local] – Error – Last retry time: 03/02/2011 20:20:30. Code (0x5): Access is denied. Next retry time: 03/02/2011 20:25:30.”

Head back to the advanced settings and change the user account from machine account to a user with administrative rights. After making these changes the forwarded events started to flow.

Subscriptions Advanced

Additional considerations:

In a workgroup environment, you can follow the same basic procedure described above to configure computers to forward and collect events. However, there are some additional steps and considerations for workgroups:

  • You can only use Normal mode (Pull) subscriptions
  • You must add a Windows Firewall exception for Remote Event Log Management on each source computer.
  • You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.
  • Type winrm set winrm/config/client @{TrustedHosts="<sources>"} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once. Where <sources> appears in the command, substitute a list of the names of all of the participating source computers in the workgroup. Separate the names by commas. Alternatively, you can use wildcards to match the names of all the source computers. For example, if you want to configure a set of source computers, each with a name that begins with “msft”, you could type this command winrm set winrm/config/client @{TrustedHosts="msft*"} on the collector computer. To learn more about this command, type winrm help config.

If you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443. For a subscription that uses Normal (PULL mode) delivery optimization, you must set the exception only on the source computers. For a subscription that uses either Minimize Bandwidth or Minimize Latency (PUSH mode) delivery optimizations, you must set the exception on both the source and collector computers.

If you intend to specify a user account by using the Specific User option in Advanced Subscription Settings when creating the subscription, you must ensure that account is a member of the local Administrators group on each of the source computers in step 4 instead of adding the machine account of the collector computer. Alternatively, you can use the Windows Event Log command-line utility to grant an account access to individual logs. To learn more about this command-line utility, type wevtutil sl -? at a command prompt.

References:

http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx

http://blogs.technet.com/b/jepayne/archive/2015/11/20/what-should-i-know-about-security-the-massive-list-of-links-post.aspx

https://technet.microsoft.com/en-us/library/cc748890.aspx

http://windowsitpro.com/security/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and-collec

http://technet.microsoft.com/en-us/library/cc749140.aspx

http://blogs.technet.com/b/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx

http://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

Video:

Tutorials:

1st: Event forwarding between computers in a Domain

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-1)—How-to-Configure-Event-Forwarding-in-AD-DS-Domains.aspx

2nd: Event forwarding between computers in workgroup

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-2)—How-to-Troubleshoot-Event-Forwarding—How-to-Configure-Event-Forwarding-in-Workgroup-Environments.aspx

Additional article talking about Event forwarding too:

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

 

Behind this catchy title is a real need. As a system administrator, it may be worthwhile to audit all of your organization’s Active Directory accounts to assess the level of security for user accounts. Let’s see how we do it!

Web resources and Methods: