Category: Core Server


Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Microsoft audit Policy settings and recommendations:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:

  • Implement 2 or 3 tier model against Pass the Hash threat
  • FGPP implementation
  • LAPS Implementation
  • Process for proper cleanup of unused AD accounts
  • Reset of krbtgt account,domain admins account,IT administrators account
  • Setting Up Jump servers for Tier0,1,2 users
  • Domain joining of all windows boxes
  • Proper account Management Based on privileges
  • Usage of service accounts to run application instead of local system accounts
  • Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
  • HoneyToken Account Creation in Local boxes as well domain
  • GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
  • GPO for Jump server implementation based on PAW GPO settings
  • Rename existing builtin Administrator account and lockdown
  • Sysmon deployment and WEF setup (WEC for symon events)
  • Use Pingcastle www.pingcastle.com  review to assess the AD security
  • Use Bloodhound (https://github.com/BloodHoundAD/BloodHound) to assess the AD security
  • Use ADTimeline to assess the AD security

 

Some interesting sites:

Windows hardening: https://wp.me/p15Zft-Mr

Privilege admin workstation: https://wp.me/p15Zft-Mr

Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

 

Attack surface analyzer:

https://www.microsoft.com/security/blog/2019/05/15/announcing-new-attack-surface-analyzer-2-0

 

DSC-EA:

https://github.com/Microsoft/DSCEA

documentation: https://microsoft.github.io/DSCEA/

 

Microsoft security compliance toolkit:

Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporte pas Desired Configuration Management de System Center Configuration Manager ou SCAP.

https://www.microsoft.com/en-us/download/details.aspx?id=55319

how to use it:

https://arnaudloos.com/2018/intro-to-policy-analyzer/

https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/security-compliance-toolkit-10.md

 

Other references:

2012 R2 hardening (CIS):

https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf

Windows 10 hardening:

https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf

 

 

 

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

  1. Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development)
  2. Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download
  3. Netsh Trace – built-in to operating system
  4. Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226

Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx

How to message analyzer on YouTube: https://www.youtube.com/watch?v=e0v0RsQVdT8

As you might guess from the name, Message Analyzer is much more than a network sniffer or packet tracing tool.  Key capabilities include:

  • Integrated “live” event and message capture at various system levels and endpoints (client and server remotely !)
  • Remote capture (capture multiple point concurrently)
  • Parsing and validation of protocol messages and sequences
  • Automatic parsing of event messages described by ETW manifests
  • Summarized grid display – top level is  “operations”, (requests matched with responses)
  • User controlled “on the fly” grouping by message attributes
  • Ability to browse for logs of different types (.cap, .etl, .txt) and import them together
  • Automatic re-assembly and ability to render payloads
  • Ability to import text logs, parsing them into key element/value pairs
  • Support for “Trace Scenarios” (one or more message providers, filters, and views)

Other articles:

Use message analyzer to convert a .etl to .cap: https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/analyze-netsh-traces-with-wireshark-or-network-monitor/

 

Capture a network trace using netsh:

https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/capture-a-netsh-network-trace/

 

  1. To learn more about your nmcap options, enter “nmcap /?” or “nmcap /examples”
  2. Wireshark training can be found at https://www.wireshark.org/#learnWS.
  3. For more information on Message Analyzer, check out the blog at https://blogs.technet.microsoft.com/messageanalyzer/.
  4. Message Analyzer training videos can be found at https://www.youtube.com/playlist?list=PLszrKxVJQz5Uwi90w9j4sQorZosTYgDO4.
  5. Message Analyzer Operating Guide – https://technet.microsoft.com/en-us/library/jj649776.aspx
  6. Information on the Message Analyzer PowerShell module can be found at https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx.
  7. Remote captures with MMA – https://blogs.technet.microsoft.com/messageanalyzer/2013/10/17/remote-capture-with-message-analyzer-and-windows-8-1/

Windows Admin Center:

https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center

Installation:

You can install Windows Admin Center on the following Windows operating systems:

Version Installation mode
Windows 10, version 1709 or newer Desktop mode
Windows Server Semi-Annual Channel Gateway mode
Windows Server 2016 Gateway mode
Windows Server 2019 Gateway mode

Desktop mode: Launch from the Start Menu and connect to the Windows Admin Center gateway from the same computer on which it’s installed (i.e. https://localhost:6516)

Gateway mode: Connect to the Windows Admin Center gateway from a client browser on a different machine (i.e. https://servername.contoso.com)

Overview:

A very brief summary of how the protocol works: There is an “endpoint mapper” that runs on TCP port 135.
You can bind to that port on a remote computer anonymously and enumerate all the various RPC services
available on that computer.  The services may be using named pipes or TCP/IP.  Named pipes will use port 445.
The services that are using TCP are each dynamically allocated their own TCP ports,
which are drawn from a pool of port numbers. This pool of port numbers is by default 1024-5000 on XP/2003
and below, and 49152-65535 on Vista/2008 and above. (The ephemeral port range.)

You can customize that port range that RPC will use if you wish, like so:

reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v Ports /t REG_MULTI_SZ /f /d 5200-10200
reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v PortsInternetAvailable /t REG_SZ /f /d Y
reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v UseInternetPorts /t REG_SZ /f /d Y

And/Or
netsh int ipv4 set dynamicport tcp start=5200 num=10200
netsh int ipv4 set dynamicport udp start=5200 num=10200
netsh int ipv6 set dynamicport tcp start=5200 num=10200
netsh int ipv6 set dynamicport udp start=5200 num=10200

I found this very interesting article about how to troubleshoot RPC communications:

http://blogs.technet.com/b/askds/archive/2012/01/24/rpc-over-it-pro.aspx

http://social.technet.microsoft.com/wiki/contents/articles/4494.aspx

http://technet.microsoft.com/en-us/magazine/2007.07.howitworks.aspx

Tools:

rpcdump (from old windows service pack)

test-server  ; powershell script here: https://gallery.technet.microsoft.com/scriptcenter/Powershell-Test-Server-e0cdea9a

test-rpc       ; powershell script here:

rpc-ping     ; powershell script here: http://www.zerrouki.com/rpc-ping/

portqry -n computer -e 135

netmon 3.4

rpcping

rpings

 

Introduction

Remote Procedure Call (RPC) is an inter-process communication technique to allow client and server software to communicate on a network. The RPC protocol is based on a client/server model. The client makes a procedure call that appears to be local but is actually run on a remote computer. During this process, the procedure call arguments are bundled and passed through the network to the server. The arguments are then unpacked and run on the server. The result is again bundled and passed back to the client, where it is converted to a return value for the client’s procedure call.

RPC is used by several components in Windows Server, such as the File Replication Service (FRS), Active Directory Replication, Certificate services, DCOM, domain join, DCPromo and RDP, NLB and Cluster, Microsoft Operations Master, Exchange and SQL.

The RPC Server

An RPC server is a communications interface provided by an application or service that allows remote clients to connect, pass commands, and transfer data using the RPC protocol. A typical example of an RPC server is Microsoft Exchange Server. Microsoft Exchange Server is an application running on a computer that supplies an RPC communications interface for an RPC client.

An application will register its RPC server with the operating system’s End Point Mapper (EPM) service so that the remote client can locate the RPC server. When the application registers with the EPM it will indicate the IP address and TCP port that it is listening on.

The RPC Client

An RPC client is an application running on any given computer that uses the RPC protocol to communicate with an RPC server. An example of a typical RPC client is the Microsoft Outlook application.

NOTE: In this document the terms RPC server and RPC client refer to the application running at both ends of an RPC communication.

RPC Quick Fixes

Common causes of RPC errors include:

  • Errors resolving a DNS or NetBIOS name.
  • The RPC service or related services may not be running.
  • Problems with network connectivity.
  • File and printer sharing is not enabled.

Use the following procedures to diagnose and repair common causes of RPC errors.

Unable to resolve DNS or NetBIOS names in an Active Directory environment

  1. Use the following commands to verify DNS is working for all DC’s or specific DC’s:
  • To get a DNS status for all DCs in forest, run the following command:
  • DCDIAG /TEST:DNS /V /E /F:<filename.log>
  • The “/e” switch runs the DNS test against all DCs in an Active Directory Forest

To get DNS health on a single DC, run the command below.

  • DCDIAG /TEST:DNS /V /S:<DCNAME> /F:<filename.log>
  • The “/s:” switch runs the DNS test against a specified domain controller.

To verify that a domain controller can be located for a specific domain, run the command below.

  • NLTEST /DSGETDC:<NetBIOS or DNS domain name>
  1. Servers and clients that are receiving the error should be checked to verify that they are configured with the appropriate DNS server. Servers should not be pointing to their ISP’s DNS servers in the preferred or alternate DNS server portion of the TCP/IP settings. The ISP’s DNS servers should only be used as forwarders in DNS.
  1. Ensure that at least one correct DNS record is registered on each domain controller.
  • To ensure that a correct DNS record is registered on each domain controller, find this server’s Active Directory replication partners that run DNS.
  • Open DNSManager and connect in turn to each of these replication partners.
  • Find the host (A) resource record registration for this server on each of the other replication partner domain controllers.
  • Delete those host (A) records that do not have IP addresses corresponding to any of this server’s IP addresses.
  • If a domain controller has no host (A) records for this server, add at least one that corresponds to an IP address on this server. (If there are multiple IP addresses for this server, add at least one that is on the same network as the domain controller you are updating.)
  1. Name resolution may also fail with the RPC Server is unavailable error if NetBIOS over TCP/IP is disabled on the WINS tab in the advanced section of the TCP/IP properties. The NetBIOS over TCP/IP setting should be either enabled or default (use DHCP).
  1. Verify that a single label domain name is not being configured. DNS names that do not contain a suffix such as .com, .corp, .net, .org or .local are considered to be single-label DNS names. Microsoft doesn’t recommend using single label domain names because they cannot be registered with an Internet registrar and domain members do not perform dynamic updates to single-label DNS zones. Knowledge base article 826743 – “Clients cannot dynamically register DNS records in a single-label domain” provides instructions on how to configure your domain to allow dynamic registration of DNS records in a single label domain.

The RPC service or related services may not be started

Verify the status and startup type for the RPC and RPC locator services on the server that gets the error:

  1. By default, Windows server 2003 domain controllers and member servers all should have the RPC service started and set to Automatic startup and the RPC Locator service stopped and set to Manual Startup.
  2. Windows 2000 domain controllers should have the RPC and RPC Locator services both set to started and automatic startup, while Windows 2000 member servers should have the RPC service started and set to automatic startup while the RPC locator service should be started and set to manual startup.
  3. If you make any changes to the RPC service or to the RPC Locator service settings, restart the computer, and then test for the problem again.
  4. Additional Services that may result in “The RPC Server is Unavailable” errors are the TCP/IP NetBIOS helper service, Distributed File System service and Remote Registry service. These services should both be set to automatic and started. The Kerberos Key Distribution Center (KDC) should be Started and Automatic on Windows 2000 and Windows 2003 DCs. It should not be started and set to Disabled in all other cases.

Network Connectivity

Verify ports needed by RPC are open

Verify that ports greater than 1024 are not blocked. Clients connect to RPC Endpoint Mapper on port 135. RPC Endpoint Mapper then tells the client which randomly assigned port between 1024-65535 a requested service is listening on.

Ports may be blocked by a hardware firewall or a software firewall. Software firewalls include Internet Connection Firewall on computers running Windows Server 2003 or Windows XP, and Windows Firewall on computers running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. A computer might also have third-party firewall software installed, or antivirus software with built-in firewall functionality. By default, port 135 TCP/UDP and ports 1024-65535 TCP must be open for RPC to work. You can restrict the ports greater than 1024 that RPC uses. However, RPC Endpoint Mapper is always on port 135.

File and Printer Sharing is not enabled

File and Printer sharing for Microsoft Networks will produce the error “RPC Server is unavailable” when you try to view or manage services on a remote computer using the Services snap-in. See the following example:

Unable to open service control manager database on \<computer>.
Error 1722: The RPC server is unavailable.
This error message may occur if the File and Printer Sharing for Microsoft Networks component is not enabled on the remote computer.

Troubleshooting RPC

The process of an RPC client connecting to an RPC server can be broken down into four phases. This troubleshooting guide will discuss the events that occur at each phase, how to test these events, and how to identify if the phase completed successfully.

Phase 1: Name Resolution: Name resolution is the act of resolving a name to an IP address. This normally takes two forms: NetBIOS Name Resolution or the more common DNS Name Resolution.

Phase 2: TCP session establishment: TCP session establishment is the act of establishing a TCP connection between the RPC client and the RPC server. TCP sessions will be initiated by the RPC client via a TCP 3-way handshake with the RPC server.

Phase 3: RPC Discovery: When a client wants to connect to the RPC server supplied by the application it will contact the computer that hosts the RPC Server and discover how to connect to the RPC Server.

Phase 4: RPC Communication: RPC Communication is the act of making RPC requests to the application endpoint and receiving RPC responses from this application.

Data needed to troubleshoot the issue:

  • Identify the client and server computers reporting the RPC error. Identify the DNS and WINS servers used by these computers. To do this:
  • On each machine, open a command prompt and run ipconfig /all.
  • Determine the IP address of both machines. If the server is part of a cluster get the cluster resource IP address as well. Identify the DNS servers and WINS servers that the RPC client is configured to use.

Note: You can also obtain this information by opening Control PanelNetwork and Sharing Center, clicking Local Area Connection and selecting Properties.

  • Identify the application(s) reporting RPC Server Unavailable
  • Simultaneous network traces (using Wireshark, Netmon, or a comparable network sniffer) from the machines hosting the RPC client and RPC Server while reproducing the task that results in a “RPC Server Unavailable” error.
  • The network captures on both hosts should be started first.
  • From a command prompt on the client run ipconfig /flushdns and nbtstat –R to clear the name resolution caches.
  • Reproduce the error.
  • Stop the traces and save them.

Name Resolution

Name Resolution consists of one or possibly more NetBIOS or DNS queries to locate the IP address for the RPC Server. Troubleshooting this phase requires verifying that a response is received to the name resolution request and that the response contains the correct IP address for the RPC server. Compare the IP address reported by DNS or NetBIOS in the network trace for the server with the IP addresses you noted earlier. If it does not match then check DNS and WINS and note if there is a difference.

DNS Name Resolution

To identify DNS Name Resolution in a network trace use the following filter in Network Monitor or Wireshark: “dns”. DNS resolution will be occurring at the client so open the network trace taken from the RPC client machine. You will be looking for one packet that is the query from the client to the DNS server and then the response packet from the DNS server. It will look similar to this:

If the trace shows the correct IP address for the RPC server was returned by the DNS server proceed to TCP Session Establishment.

If the trace does not show a correct IP address returned or you do not see any answer from the DNS server then reference the following resources to help with DNS name resolution troubleshooting.

For details on troubleshooting Active Directory related DNS issues go here.

For general DNS troubleshooting: http://support.microsoft.com/default.aspx?scid=kb;EN-US;330511

NetBIOS Name Resolution

NetBIOS queries come in two forms, WINS or NetBIOS Broadcasts. WINS will consist of a unicast query to a WINS server and a response from the WINS server.

NetBIOS broadcasts are queries broadcast to all hosts on the local subnet so name resolution is limited to only hosts on the subnet. The host with the name listed in the NetBIOS Broadcast will respond with its IP address.

To identify NetBIOS Name Resolution in a network trace, use the following filter in Network Monitor – “nbtns”. For Wireshark, use the following filter – ”nbns”. If the trace shows a successful resolution using WINS or NetBIOS queries proceed to TCP Session Establishment.

For details on troubleshooting this NetBIOS Name Resolution further:

http://technet.microsoft.com/en-us/library/cc940110.aspx

TCP Session Establishment

TCP Sessions always begin with a TCP 3-way handshake. The handshake should look similar to what is shown below. The RPC Client will send the first packet, known as the SYN packet. The computer hosting the RPC Server will send a SYN/ACK response, and then the RPC Client will send an ACK packet.

Scenarios that may cause the TCP session to fail

Firewall/Network

If a firewall or network problem is the culprit, it is likely a failure will occur during this phase. To diagnose this you will want to look at the network traces taken from the RPC Client and RPC Server. If a firewall or other network device is causing a problem it will usually manifest as a retransmit of the TCP SYN packet by the RPC Client about 3 seconds after the first TCP SYN is sent. This can be seen in a Netmon network trace using the display filter specification of “tcpsynretransmit==1”. In other cases, firewalls will allow the 3-way handshake to succeed but may block the RPC packets due to the contents of the packet at a higher level. In these cases it is possible to see the retransmit of the RPC packet within half a second of the original packet being sent. To identify this condition in a Netmon network trace use the display filter specification of “tcpretransmit==1”. To see either of these retransmit conditions in a trace taken using Wireshark use the display filter specification of “tcp.analysis.retransmission”.

The RPC Server is not actively listening.

It was noted earlier that an RPC Server will register itself and listen on a particular port and IP address of the host computer. If for some reason that fails the TCP layer will answer the SYN packet from the client with a Reset packet.

A device in the middle between the RPC Client and RPC Server will be resetting the connection attempt.

In the client side trace it will appear as if the server sent the TCP Reset while the trace from the server indicates the client is the source of the TCP Reset.

For both these scenarios, check for the presence of a Reset packet in the TCP three way handshake by using the display filter specification of “TCP.flags.reset==1”.

For troubleshooting this step see the following sections in this document:

If the 3-way handshake is successful, continue to the RPC Discovery phase.

RPC Discovery

The RPC Discovery phase will occur one of two ways. In both methods the client will know the identifier for the RPC Server it wants to contact and will supply that to the computer hosting the RPC Server and ask for information on how to contact the RPC Server. The identifier is different depending on which method is used and the RPC client will know ahead of time which method it wishes to use.

Discovery – RPC Over TCPIP

This method is a two-step process. First the RPC client will contact the End Point Mapper (EPM) on the machine hosting the RPC Server to find out what port and IP address that Server is listening on. Upon successful completion of this the RPC client will contact the RPC Server directly on the indicated IP address and Port. Below is a sample of what this would look like and a step by step explanation below it. This step depends on the successful TCP session establishment twice, first to the EPM and then to the RPC Server.

  1. The RPC Client will open a TCP session with TCP port 135 on the computer hosting RPC Server of interest. This can be picked out using the following filter syntax in Netmon or Wireshark: “tcp.port==135”
  2. The RCP Client will send an RPC Bind request using the UUID of the End Point Mapper and the RPC EPM should respond with a Bind ACK packet.
  3. The RPC Client will make a MAP request to the EPM to locate the IP address and port of the RPC Server of interest, identifying the RPC Server based on its UUID.
  4. The EPM will send back a MAP Response that indicates the IP and port the RPC Server is listening on.
  5. The RPC Client will then open a TCP session with the IP and port it received in the EPM MAP response.
  6. The client will send an RPC Bind Request to the RPC Server specifying the UUID of the RPC Server application and should get back a Bind ACK from the RPC Server.
  7. There will be an RPC Alter Context Request/Response in which authentication will take place. If an error is noted here then see the following section for help determining why the error is occurring – Authentication
  8. Perform some RPC operations…(Go to RPC Communication phase)

Discovery – RPC Over SMB

The second method an RPC Client may use to contact an RPC Server is RPC over SMB. This method depends upon first establishing an SMB session with the computer hosting the RPC Server and then using the Named Pipes protocol to communicate using RPC. So in effect there are several levels of encapsulation – RPC over Named Pipes over SMB over TCP. We will not address the SMB session setup in this document and the TCP session establishment has already been discussed.

With a successfully opened TCP and SMB session, next:

  1. The RPC Client will issue a SMB TreeConnectAndX for the tree name “IPC$”. This is a special hidden share for inter-process communication. It should get a positive response from the computer hosting the RPC Server.
  2. The RPC Client will then issue an SMB NTCreateAndX for the name of the PIPE of the RPC Server Application and should get back a positive response. Some examples are:

EVENTLOG = The Event log service

winreg = Remote Registry

svcctl = Service Control Manager

srvsvc = Server Service

  1. Next there is a Bind handshake. This is to “bind” the RPC client to the RPC server. There are a total of four packets involved:
  1. The RPC Client bind request containing the UUID of the desired RPC Server.
  2. A Write AndX response from the RPC Server
  3. A Read AndX request from the RPC Client.
  4. A Bind ACK response from the RPC Server.

At this time a RPC request to the RPC server component is expected.

RPC Communication

At this point RPC communication is occurring between the RPC Client and RPC Server. The troubleshooting steps involved at this stage are largely based on the application reporting the RPC failure.

For Active Directory processes or services please see Active Directory Symptoms.

For Microsoft Exchange related RPC errors please see: Analyzing Exchange RPC traffic over TCP/IP

How to identify the RPC traffic in a trace

RPC network traffic can take multiple forms. It is important to understand which form is in use in order to identify which TCP session is responsible for the RPC communication.

RPC over TCPIP

This is sometimes referred to as Traditional RPC or Sockets based RPC. An example of this is Outlook without “Outlook anywhere” or without http settings configured. A TCP session on TCP port 135 is established with the RPC server. To view this traffic in a trace use the filter: “tcp.port==135”. This session will be used in the RPC Discovery phase to locate the endpoint of the desired application.

RPC over HTTP

RPC connectivity for Internet connected hosts will typically use RPC over HTTP in order to traverse firewalls. Some examples of this can be seen with Terminal Services Gateway, Outlook Web Access, Outlook via “Outlook Anywhere”. This communication will be established on one or more connections to either TCP port 80 or 443(SSL). Since this typically traverses a public network, SSL or TCP port 443 is the more common method. Use the filter “tcp.port==80 or tcp.port==443” to locate either form inside network trace.

RPC over HTTP Port 80

For sessions over TCP port 80, the HTTP requests associated with RPC over HTTP will include a UserAgent header that contains the text “OutlookConnectorDS” and the version number of the connector.

RPC over HTTP Port 443

Sessions using TCP port 443 will initially establish a TLS session. After this TLS negotiation, the TCP Payload will be encrypted in TLS/SSL and the contents of the frames will not be readable in the trace. In this phase, look for failures due to improper certificates, inaccessible Certificate Revocation Lists, or untrusted certificate chains.

For more information on troubleshooting SSL/TLS see:

http://technet.microsoft.com/en-us/library/cc783349(WS.10).aspx

RPC over SMB aka “Named Pipes”

RPC can also take advantage of SMB sessions for the purpose of RPC communication. Some examples of this can be seen with Computer Management or the Remote Registry service. With the use of RPC over SMB:

  1. Establish TCP connection on TCP port 139 or 445.
  2. Negotiate dialect request/response
  3. SessionSetupANDX request/response. This sequence is used to establish the SMB Session. Authentication occurs during the SessionSetupANDX exchange.

If a failure in step 1 occurs, see additional troubleshooting steps see: File and Printer Sharing.

Kerberos Authentication

If Kerberos is used, and the client doesn’t currently have a Kerberos ticket for the RPC server, just after the Negotiate Dialect response is received, the client will obtain a Kerberos ticket for the Servername/cifs SPN of the RPC server. This exchange will occur over the Kerberos ports TCP or UDP port 88 between the client and a Domain Controller. SessionSetupANDX follows and will consist of a single SessionSetupANDX request which includes the Kerberos ticket, followed by a SessionSetupANDX Response indicating success or failure of the authentication.

For additional troubleshooting steps during authentication, see Authentication.

NTLM Authentication

If NTLM is used, SessionSetup will result in a SessionSetupANDX response with a status of STATUS_MORE_PROCESSING_REQUIRED. This response includes the NTLM challenge. The subsequent SessionSetupANDX Request will include the hashed credentials of the client. At this time, the RPC server must validate the credentials supplied by the user. To do this, the RPC server will contact a domain controller, and validate the credentials with the netlogon service, via RPC, on the domain controller. If this is successful, the RPC server will then respond to the client with a SessionSetupANDX Response indicating STATUS_SUCCESS.

For additional troubleshooting steps during authentication, see Authentication.

Troubleshooting Authentication

Verify that authentication is working correctly by checking for Time skew, UDP Fragmentation or an Invalid Kerberos Realm.

  • Time skew can be verified by running net time /querysntp and net time /setsntp:<PDCe server name>. The /querysntp switch allows you to determine if a specific DC is manually configured as the authoritative time server. The /setsntp:<PDCe server name> switch can be used to synchronize the computer receiving the error with the PDC emulator. The PDC emulator is the authoritative time server by default.
  • UDP fragmentation can cause replication errors that appear to have a source of RPC server is unavailable. Symptoms of UDP fragmentation being at the root of this problem include clients being unable to log on to the domain, administrators being unable join computers to the domain and Event ID 40960 & 40961 errors with a source of LSASRV and Kerberos errors with an Event ID of 10 in the system log.Knowledge base article 244474 – “How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Microsoft Windows and XP, and in Microsoft Windows 2000” provides the steps to resolve this problem.
  • An incorrect Kerberos realm can also be at the root of RPC server is unavailable problems. The symptoms that will be experience when the Kerberos realm is incorrect include the following errors when opening AD management tools:Naming Convention could not be located because: No authority could be contacted for authentication. Contact your system administrator to verify that your domain is properly configured and is currently online.-or-

    Naming information cannot be located because: No authority could be contacted for authentication. Contact your system administrator to verify that your domain is properly configured and is currently online.

    To verify that the correct Kerberos realm is configured, follow the steps in 837513 – “Domain controller is not functioning correctly”.

Active Directory Symptoms:

1. If you are experiencing replication problems and getting RPC server is unavailable errors as is reported in repadmin /showreps below, use Portqry or Network Monitor to determine if RPC traffic is being blocked is the first step when attempting to troubleshoot RPC Server is unavailable errors.

[Replications Check,DC2] A recent replication attempt failed:
From DC1 to DC2
Naming Context: CN=Schema,CN=Configuration,DC=xl
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2003-10-30 11:59.47.
The last success occurred at 2003-10-28 20:50.22.
26 failures have occurred since the last success.
[DC1] DsBind() failed with error 1722,
The RPC server is unavailable..
The source remains down. Please check the machine.
BermudaDC1 via RPC objectGuid: 28c78c72-3c95-499a-bcda137a250f069f
Last attempt @ 2003-10-30 11:58.15 failed, result 1722:
The RPC server is unavailable.

Troubleshooting:
If IP Security Policies in Active Directory had the Assigned Value to Server (Request Security) set to Yes then these errors will result. Knowledge base article 313190 – “How to use IPSec IP filter lists in Windows 2000” provide details about where to check these settings and more information about their impact.

2. If you are blocking all ICMP traffic between separate AD sites, you will receive the errors below in the output of DCDIAG when trying to replicate inter-site:

Testing server: contosoDC1
Starting test: Replications
* Replications Check
[Replications Check,DC1] A recent replication attempt failed:
From DC2 to DC1
Naming Context: CN=Schema,CN=Configuration,DC=litware,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2003-08-24 23:00.51.
The last success occurred at (never).
553 failures have occurred since the last success.
[DC2] DsBind() failed with error 1722,
The RPC server is unavailable..
The source remains down. Please check the machine.
REPLICATION LATENCY WARNING
DC1: A full synchronization is in progress
from DC2 to DC1
Replication of new changes along this path will be delayed.
[DC2] LDAP connection failed with error 58,
The specified server cannot perform the requested operation.

Troubleshooting: To resolve this issue, remove the ICMP traffic restriction between domain controllers. When establishing an RPC session prior to AD replication, ICMP traffic is used. If the ICMP fails, so does the RPC session establishment, and hence AD replication also fails. ISA 2004 can prevent ICMP traffic with the exception of computers specified in the Remote Management Computers computer set which can be configured in system policy.

3. The following error will appear when attempting to connect to the computer.

“computer <\servername.domain.local> cannot be managed. The network path was not found. RPC server is unavailable.

Or when viewing the properties of the remote computer you will receive the error:

“Win32: The RPC server is unavailable”.


Troubleshooting:
Computer management is one of the better tools for testing RPC connectivity. When RPC traffic is being blocked, connections to other computers using the computer management console will fail.

4. When attempting to promote an additional domain controller in an Active Directory domain while the RPC service is blocked or not running, the following error will appear:

“The domain “domain.local” is not an Active Directory domain, or an Active Directory domain controller for the domain could not be contacted.


Troubleshooting:

5. Connections to computers via Remote Desktop may fail if RPC connectivity cannot be established. When attempting to logon on to the domain via Remote Desktop the following error will be produced in the form of a popup error message if RPC connectivity is the root of the problem:

“The system cannot log you on due to the following error: The RPC server is unavailable.”

You may also see the following errors on the Terminal server:

Error 1727: The remote procedure call failed and did not execute
Error 1722: The RPC server is unavailable.
Error 1723: The RPC server is too busy to complete this operation.
Error 1721: Not enough resources are available to complete this operation.

-or-

Event ID 5719:
Source: NetLogon
Description: No Windows NT Domain Controller is available for domain domain_name.
The following error occurred: There are currently no logon servers available to
service the logon request.

Event ID: 1219
Source: Winlogon
Details: Logon rejected for CONTOSO<computername>. Unable to obtain Terminal Server
User
Configuration. Error: The RPC server is unavailable.

Troubleshooting: These errors can be a result of the TCP/IP NetBIOS Helper service being disabled on the Terminal server or NetBIOS over TCP/IP being disabled on one of the NIC’s used to access the Terminal server. You should also verify that the Client for Microsoft networks is bound to the adapter used to access the Terminal server. You can tell if this is happening by looking at a Netdiag /v from the box for the following output:

Testing redirector and browser… Failed

NetBT transports test. . . . . . . : Failed
List of NetBt transports currently configured:
[FATAL] No NetBt transports are configured.

Redir and Browser test . . . . . . : Failed
List of transports currently bound to the Redir
NetBIOSSmb
[FATAL] The redir isn’t bound to any NetBt transports.

List of transports currently bound to the browser
[FATAL] The browser isn’t bound to any NetBt transports.

Troubleshooting Tools and Methods

Methods to generate RPC Traffic

Computer Management MMC to a remote host

Outlook to an Exchange server

RPCPing – http://support.microsoft.com/kb/831051

Tools for Testing RPC

RPCPing – http://support.microsoft.com/kb/831051

PortQry – http://support.microsoft.com/default.aspx?scid=kb;EN-US;832919

Pipelist – http://technet.microsoft.com/en-us/sysinternals/dd581625.aspx

RPCDump – http://support.microsoft.com/default.aspx?scid=kb;EN-US;325930

NSLookup – http://support.microsoft.com/default.aspx?scid=kb;EN-US;200525

NBLookup – http://support.microsoft.com/default.aspx?scid=kb;EN-US;830578

Tools for monitoring RPC

Network Monitor – Download FAQ

Wireshark – Download

Using PortQry

You can use the Portqry tool to verify that the required ports are open. You should run the Portqry tool on a computer that is not receiving any RPC errors against a computer that is receiving RPC errors by using the -n switch. To this, follow these steps:

a. Click “Start”, click “Run”, type “cmd” in the “Open” box, and then click OK”.

b. Type “portqry -n <problem_server> -e 135” (without the quotation marks).

The output will appear similar to the following examples:

Querying target system called:

<problem_server>
Attempting to resolve name to IP address…
Name resolved to 169.254.1.1
querying…
<problem_server>
TCP port 135 (epmap service): LISTENING
Using ephemeral source port
Querying Endpoint Mapper Database…

Server’s response:

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:65.53.63.16[1094]
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:65.53.63.16[1025]
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:65.53.63.16[1029]
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:65.53.63.16[6004]

If port 135 is blocked, the following will appear:

TCP port 135 (epmap service): NOT LISTENING However, for these RPC Endpoint Mapper errors it is likely that ports greater than 1024 are blocked, and not port 135.From the output, you know the DC is using port 1094 for FRS and 1025, 1029, and 6004 for Active Directory replication. You can use the Portqry tool again to check those ports. For example, you can test all the ports at the same time by using the Portqry tool with the -o switch. For example, type

“portqry -n <problem_server> -o 1094,1025,1029,6004″(Without the quotation marks)

If the ports all respond as “LISTENING,” it’s likely that blocked ports are not causing this problem. If any ports respond as “NOT LISTENING,” the ports are probably blocked.

Resources

RPC Blogs

Basics of RPC are covered here:

RPC to Go v.1: http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx

Architecture and a closer look at a connection to the RPC Endpoint mapper in a network capture.

RPC to Go v.2: http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx

This describes how RPC commands can be sent over Named Pipes in SMB via the IPC$ Tree.

RPC to Go v.3: http://blogs.technet.com/b/networking/archive/2009/04/28/rpc-to-go-v-3-named-pipes.aspx

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.

http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

External TechNet Magazine article

This one is good. It lays out RPC basics really quickly and then moves on RPC errors. The information on MaxUserPort would need to be updated with the information about the dynamic port ranges that are used in Vista/W2008 are the high range of ports compared to the 1025-5000 for W2003.

How IT Works, Troubleshooting RPC Errors by Zubair Alexander:

http://technet.microsoft.com/en-us/magazine/2007.07.howitworks.aspxKB

KB Article

Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD

http://support.microsoft.com/default.aspx?scid=kb%3bEN-US%3b839880

 

Resources materials:

AD Security:

Preventing mimikatz attacks: https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5

https://adsecurity.org/?p=1684

https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory

Mimikatz and Active Directory Kerberos Attacks:

https://adsecurity.org/?p=556

https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf

https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

http://www.gentilkiwi.com/mimikatz    /   http://blog.gentilkiwi.com/

Scripts:

https://github.com/iadgov/Pass-the-Hash-Guidance
https://github.com/iadgov/Event-Forwarding-Guidance

Domain lockdown: https://github.com/curi0usJack/activedirectory

Microsoft resources:

http://www.microsoft.com/pth

http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf

http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx

 

Pass the Hash – isolation technique:

passTheHash

 

Reference: http://support.microsoft.com/kb/318785

Microsoft .net Framework is a software package that is used by many applications, it runs in a software environment as opposed to hardware environment.

Free program called .NET Version Detector ( download here ).

PowerShell: how to get version of .net framework on a remote computer: https://gallery.technet.microsoft.com/scriptcenter/Detect-NET-Framework-120ec923

To query the local Registry using PowerShell, execute the below command in an elevated PowerShell session.

(Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full’  -Name Release).Release

You can then use the table below to reference the installed version of .NET. For instance, if the returned value is 379893, then .NET 4.5.2 is installed.

Main question is: How do I know if I have been hacked?

Hacking mind map: https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/

Detecting lateral movement using event logs: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html

Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

http://blog.crowdstrike.com/sysmon-2/

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

additional resources on this blog: http://wp.me/p15Zft-od

and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links

The first step is to scan your computer with a Rootkit detector. Our download section has numerous Rootkit scanners available with some being listed below:

Toolkit to help you:

– Volatility: http://www.volatilityfoundation.org/

– Crowdstrike: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

– Powershell windows forensics: https://github.com/gfoss/PSRecon

-Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

– forensic toolkits: http://www.sleuthkit.org/, http://sourceforge.net/projects/autopsy/

– online scanning: http://www.virustotal.com

-Windows event logs

– Windows safe mode ! (autoruns from sysinternals to detect not well known application/services)

– autoruns,procexp,procmon,tcpview,handles,psloggedon  (http://www.microsoft.com/sysinternals)

– treesize pro (http://www.jam-software.com/treesize/)

– closethedoor (http://sourceforge.net/projects/closethedoor/)

– Wireshark (https://www.wireshark.org/download.html) or Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=40308)

– nmap: http://nmap.org/download.html#windows

– traceroute: http://www.net.princeton.edu/traceroute.html

Free tools for Windows sysadmin

 

– Find string if files on Windows: using findstr /s /i

findstr /s /i /C:"provider=sqloledb" d:\dir\*.*

– Test SSL and TLS: https://www.qualys.com/sslchecker

_Well-known online tools for network engineers: https://dnschecker.org https://www.whois.net/ https://mxtoolbox.com/ https://whatismyipaddress.com/ http://ping-test.org/ https://www.portcheckers.com/

– Registry editor and comparison, replace: regedt33.exe: https://sourceforge.net/projects/regedt33

– AD security: adsecurity.org  ; http://www.dsinternals.com ; http://www.pingcastle.com; https://thycotic.com/solutions/free-it-tools/weak-password-finder/

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics  and  https://github.com/gfoss/PSRecon and https://github.com/davehull/Kans

– Memory forensics: http://www.volatilityfoundation.org/

– Crowdstrike free tools: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Trousse de secours Windows sur cle USB: http://wp.me/p15Zft-wU

– Net tools and forensic tools for windows : http://www.nirsoft.net/utils/ipnetinfo.html
– System and performance: CCleaner,recuva,defragler,speccy from pirisoft: https://www.piriform.com/products
– Windows 8 or Server  2012 start menu (GUI): http://www.classicshell.net/
– New Microsoft network monitor called MESSAGE ANALYZER (GUI): http://www.microsoft.com/en-us/download/details.aspx?id=40308
– ESET Sysinspector: http://www.eset.com/us/download/utilities/ (is a convenient utility for the tool box of every IT expert and first responder)
– Qualys browsercheck: https://browsercheck.qualys.com/  (check internet browser vulnerabilities)
– Secunia personal inspector: http://secunia.com/vulnerability_scanning/personal/download_psi/ (scanner application’s vulnerabilities)
– TrueCrypt. Is disk encryption software: http://www.truecrypt.org/
– Keepass. To remember passwords: http://keepass.info/
– Putty, FileZilla, WinSCP, XMing (free Xserver), MobaXterm (free Xserver and SSH): Unix tools for Windows
– Remote Desktop managers: mRemoteNG, Remote Desktop manager
– Ophcrack is a free Windows password cracker based on rainbow tables: http://ophcrack.sourceforge.net/
– Anti-malware free Malwarebytes (GUI): http://www.malwarebytes.org/
– Inventory tool that performs hardware scanning, software scanning, and Active Directory (AD) reporting (GUI):  www.lansweeper.com
– DNSdataview (GUI): www.nirsoft.net/utils/dns_records_viewer.html
– WinDirStat (GUI): http://windirstat.info
– Archiving and compression 7-zip  (GUI): www.7-zip.com
– Compare content files: ExamDiff  (GUI):  www.prestosoft.com/edp_examdiff.asp
– File Recovery (GUI): PC inspector File recovery   and    easeUS data recovery
– System Information for Windows and benchmarks (Gathers detailed information about a computer’s system properties, settings, and displays, benchmarks):
        – SIW  (GUI)
        – AIDA  (GUI)
        – Everest  (GUI):
– HDTune: GUI – simple disk IO utility
– Unlock DLL: GUI to unlock DLLs in use (c.f unlocker utility on internet)
– AD queries builder with powershell and powershell editor  (GUI): http://www.powergui.org
– AD reports and ldap builder (GUI): http://www.maxpowersoft.com/
– AD change reporter (GUI): www.tinyurl.com/cph99tu
– AD object restore wizard (GUI): www.tinyurl.com/kv83sh9
– Inactive users tracker (GUI): www.tinyurl.com/xv83dsf
– Netmork Monitoring (GUI): http://www.spiceworks.com/, or quest scriptlogic free utility called sl360
– Disk space monitor (GUI): www.tinyurl.com/zksfuw
– Bulk password reset (GUI): www.tinyurl.com/cxc3t4d
– Windows service monitor (GUI): www.tinyurl.com/dakjw32
– Vmware change reporter (GUI): www.tinyurl.com/dsdz44
– File server change reporter (GUI): www.tinyurl.com/bhd3k2b
– Password expiration notifier (GUI): www.tinyurl.com/kbwu34z
– USB blocker (GUI): www.tinyurl.com/awqc4p3
– Free disk analysis tool (Gui): www.northern-utilities.com  ; Find out how much of your storage capacity is being wasted on unwanted files
– Netbook Hardware control (GUI): www.pbus-167.com
– Sysinternal Tools (CMD/GUI): www.microsoft.com/sysinternals
 – www.joeware.net (CMD)
www.netikus.com (CMD/GUI)
www.solarwinds.com
– OpenSSH (Gui, Cmd: www.openssh.com )
– OpenVPN (GUI, Cmd: http://openvpn.net )
– Microsoft Security Essentials: Antivirus/Anti-malware free: www.microsoft.com/security_essentials
– Microsoft Resource Kits
– ClamAV: Antivirus
– AVast: Antivirus
– Free download manager: IE download manager
– Daemontools or Virtual Clone Drive (GUI)
– Tree size free: Directory or disk usage and statistics (GUI): http://www.jam-software.com/freeware/
– CDex: transform CD in MP3… (GUI)
– Desktop Restore. Records the position of desktop icons and restores desktop layouts.
– InfraRecorder. Burns ISO images and creates data and audio CDs and DVDs: http://infrarecorder.org/
– Notepad++. Is a text and code editor.
– NTFS Undelete. Recovers deleted files that are no longer in the recycle bin.
– Paint.NET. Manipulates images.
– PING. Makes a sector-based image copy of a disk partition.
-Windows Preinstallation Environment (WinPE). Lets you make a Windows command-line boot recovery DVD.
– XML Notepad. Is a specialized XML editor.
– ZoomIt. Magnifies portions of a screen and lets you draw on and annotate the screen (c.f www.microsoft.com/sysinternals).
– BareTail. Monitors log files in real time.
– Wireshark. Is a protocol analyzer: http://www.wireshark.org
– FileZilla. Is a GUI FTP client.
– Winscp. Is a GUI sftp client.
– Ngrep. Is a packet sniffer based on finding matching text strings.
– NeWT. Is a vulnerability scanner. (If you’re interested in obtaining this software after reading about it, go to http://cgi.tenablesecurity.com/tenable/requestForm.php.)
– OpenSSH. Creates secure, encrypted shell sessions.
– WinDump. Is a command-line packet sniffer. (If you’re interested in obtaining this software after reading about it, go to http://www.winpcap.org/windump/default.htm.)
– Winfingerprint. Is a network scanner.
– LocatePC. Emails you whenever any private or public IP address in your system changes.
– Open Computers and Software Inventory (OCS Inventory NG). Provides detailed inventory data for an entire network of computers as well as deploys packages. (If you’re interested in obtaining this software after reading about it, go to http://sourceforge.net/projects/ocsinventory.)
– PRTG Traffic Grapher. Is a network monitor.
– SyncBack. Backs up or synchronizes files to another location: http://www.2brightsparks.com/freeware/freeware-hub.html
– Wink. Builds screencast recordings. (The write-up for this tool isn’t in the main article but rather its sidebar “Screencasting with Wink”. If you’re interested in obtaining this software after reading about it, go to http://www.debugmode.com/wink.)
– CamStudio. Builds screencast recordings.
– CDBurnerXP. Burns CD-ROMs, DVDs, audio CDs, and ISO images.
– Comodo Firewall Pro. Is a firewall and antivirus application.
– DriveImage XML. Is a program for imaging and backing up partitions and logical drives.
– GParted LiveCD. Manages partitions on systems. (You can also find information about GParted in “Tool Time: Repartition Windows Servers with GParted”.)
– PageDefrag. Determines how fragmented your paging files and registry hives are, and defragments them (c.f www.microsoft.com/sysinternals)
– JkDefrag. Defragments and optimizes disks.
– TestDisk. Recovers damaged partitions, makes non-bootable disks bootable again, and repairs damaged boot sectors.

Free Virtualization tools:

– Free Tools for hyperV: http://social.technet.microsoft.com/wiki/contents/articles/2325.hyper-v-top-free-programs.aspx

-If you work with virtual machines (VMs), check out the following 29 tools:
“Virtualization on the Cheap”
1. Catbird Compliance Enforcer. Analyzes existing virtual infrastructures, then highlights rogue VMs, quarantines suspect VMs, and generates compliance and security reports.
2. Citrix XenServer. Is a virtualization platform.
3. ConfigCheck. Evaluates an ESX Server installation to see whether it’s configured properly and in accordance with VMware’s best practices, particularly with regard to security guidelines.
4. EasyVMX. Lets you create web-based VMs.
5. Hyper-V. Is a virtualization platform.
6. Microsoft Assessment and Planning Toolkit. Searches out computers in a network, then generates a detailed inventory using Windows Management Instrumentation (WMI), SNMP, or Remote Registry Service.
7. Microsoft Virtual PC 2007. Is a virtualization platform.
8. OpsCheck. Troubleshoots configuration problems that might cause VMware VMotion to encounter problems.
9. PlateSpin Recon Inventory Edition. Profiles and analyzes data centers, then gathers information about traffic, workload, asset inventory, and application services.
10. Veeam Monitor Free Edition. Monitors VMware ESX and ESXi environments in real-time.
11. Virtual Iron Single Server Edition. Is a virtualization platform.
12. VirtualBox. Is a virtualization platform.
13. Vizioncore vOptimizer FreeWare. Squeezes Microsoft and VMware VMs into more manageable sizes.
14. VMware ESXi. Is a virtualization platform.
15. VMware Player. Loads and run VMs created by other virtualization products.
16. V-Scout. Aggregates and organizes information from up to two VMware VirtualCenter installations.
“More Free Virtualization Tools”
17. PHD Virtual.com website. Offers several free VMware utilities (e.g., VMNetBac, SnapHunter).
18. VM Explorer (VMX). Powers VMs on or off as well as backs up and restores VMs.
19. Xtravirt.com website. Offers several free virtualization utilities (e.g., GetVMwareDocs, Visio Action Pack).
“Free Virtualization Utilities”
20. ISO Recorder. Creates and burns ISO images.
21. Ultimate-P2V. Converts physical systems to VMs.
22. VHD Resizer. Expands and shrinks .vhd files.
23. VHDMount. Mounts a .vhd file as a local drive.
24. Virtual Floppy Drive. Mounts a virtual floppy drive from a VM.
25. Virtual Machine Remote Control Client Plus (VMRCplus). Manages, configures, and connects to Microsoft VMs.
26. VMDK to VHD Converter. Converts VMware images to Microsoft images.
27. VMmark. Benchmarks applications running in VMware VMs.
28. VMware Converter. Converts physical machines or Microsoft VMs to VMware VMs.
29. VMware Workstation 5.5 Disk Mount Utility. Mounts a VMware.vhd file on a Windows host.
Note that you can find more information about Hyper-V, VMware ESXi, and Citrix XenServer in “Free Hypervisors Extend Your IT Resources”.

Free Scripting tools:

No matter whether you write scripts or not, you’ll likely find many of the 14 tecommendations in “Script Writers’ Favorite Free Utilities” helpful:
1. Blat. A command-line utility that uses SMTP to send email or uses Network News Transfer Protocol (NNTP) to post to Usenet.
2. AutoIt v3 and SciTE Is a scripting language (AutoIt) and editor (SciTE).
3. CodeKeep Add-In. Is a code snippet manager for Visual Studio (VS).
4. DumpSec. Is a Windows security auditing program.
5. Joeware website. Offers many command-line utilities to automate AD tasks (e.g., AdQueueLoop, Unlock) and other tasks (e.g., DNSSrvRec, SidToName).
6. MD5WIN. Computes and compares Message-Digest algorithm 5 (MD5) digest strings.
7. NirSoft website. Offers numerous utilities for monitoring networks, managing passwords, retrieving Internet-related data, and performing other system-management tasks.
8. Notepad++. Is a text and code editor.
9. PSPad. Is a text and code editor.
10. Python. Is a programming/scripting language that you can use to automate tasks.
11. Regular Expression Laboratory. Lets you create regular expressions and test them against arbitrary text.
12. VIM. Is a text and code editor.
13. WinZip Command Line Support Add-On. Lets you use WinZip directly from the command line and from scripts.
14. Powershell editor and Gui powershell code builder: http://www.powergui.org
check also the powerpacks (like plug-ins for powergui, to manage other windows applications).

Free tools for Sharepoint:

Freebies that might be of interest to SharePoint administrators include the following:
“SharePoint Freebies Someone You Might Know Might Want”
1. Document Connection for Mac. Aids in accessing and browsing Mac documents in SharePoint.
2. Free Technology for Microsoft SharePoint User Groups. Is a program to provide free add-ons and other products to community-organized SharePoint user groups.
3. Persian Language Pack for Windows SharePoint Services (WSS) 3.0.
“More SharePoint Freebies Someone You Might Know Might Want”
4. Discovery Wizard for SharePoint. Gathers SharePoint inventory data and displays it in HTML reports.
5. DocAve SQL Restore Controller. Provides item-level, site-level, and site collection-level restores from active SQL Server databases and from SQL Server backups.
6. Idera SharePoint performance monitor. Monitors SharePoint performance counters and sends email alerts when problems arise.
“Free SharePoint Archiving Tool Aims to Cut Bloat”
7. Metalogix Archiving Express for SharePoint. Archives SharePoint content.

Free tools for Exchange:

Some helpful freebies when working with Microsoft Exchange include:
“Top 10 Exchange Server 2007 Troubleshooting Tools”
1. Database Recovery Management Tool. Analyzes a database store and specifies the steps needed to mount it.
2. Database Troubleshooter. Analyzes database and transaction logs and their entries and reports on problems that might prevent you from recovering the database.
3. Dcdiag. Analyzes the state of domain controllers in a forest or enterprise and reports any problems.
4. Event Viewer. Lets you view Exchange-related events.
5. Mail Flow Troubleshooter. Identifies and repairs mail flow holdups.
6. Message Tracking. Reveals a message’s path through the Exchange Server organization when messages get lost in mail flow transit.
7. Nslookup. Helps troubleshoot DNS problems.
8. Performance Monitor. Analyzes counters associated with various aspects of system performance to see whether those counters fall within a designated range.
9. Performance Troubleshooter. Analyzes three RPC performance problems.
10. Queue Viewer. Lets you view and interact with mail flow queues.
“Two Exchange Server Tools You Should Know About”
11. Performance Analysis of Logs (PAL). Analyzes a performance monitor counter log analyzes and puts its findings in an HTML report.
12. ‘Rough and Tough’ Guide to Identifying Patterns in Transaction Logs. Provides a set of tools and associated processes for figuring out what’s happening on an Exchange server given a set of transaction log files.

Free tools for SQL Server:

If your IT duties include working with SQL Server, check out “The Mega Guide to Free SQL Server Tools”. This guide includes 80 tools, so the list is too long to print here. You can find out what those tools are at http://www.sqlmag.com/Articles/ArticleID/102244/102244.html.
At SQL Server Magazine, we’re all about helping DBAs and developers do their jobs faster and more efficiently—especially now, when they’re being expected to do more with less staff and funding. That’s why, when we realized just how many free SQL Server tools are available, we decided to bring them to your attention. You might recognize some of these tools from Kevin Kline’s Tool Time or Michael Otey’s Back Page, and many of these tools can be found on Microsoft’s CodePlex website. These tools were created by in-the-trenches DBAs and developers, as well as third-party SQL Server product vendors, to solve specific SQL Server problems or to fill holes in SQL Server’s functionality. There are so many free SQL Server tools that we couldn’t test them all, so be sure to test them yourself before running them in production.
Administration
• Data Scripter Add-in for Management Studio—This add-in lets you script data for SQL Server tables through SQL Server Management Studio (SSMS) (sqlblogcasts.com/blogs/seanprice/archive/2007/08/28/data-scripter-add-in-for-management-studio.aspx)
• Iometer—This tool measures and characterizes I/O subsystems in single and clustered servers (www.iometer.org)
• Microsoft SQL Server 2005 Upgrade Advisor—This tool analyzes your SQL Server 2000 and SQL Server 7.0 instances to find features and configuration changes that could affect an upgrade to SQL Server 2005 (www.microsoft.com/downloads/details.aspx?FamilyID=1470e86b-7e05-4322-a677-95ab44f12d75)
• mRemote—You can use this tool (which supports both RDP and VNC) to manage your remote server connections from a central GUI (www.mremote.org/wiki)
• MSSQL Blocks—This tool collects information from multiple SQL Server 2005 and 2000 instances about locked or blocked processes and stores this information in XML files for later analysis (sqlblocks.narod.ru)
• Orphan Finder—You can use Orphan Finder to find records in your SQL Server 2005 databases in which there are values in a foreign key column that aren’t in the parent table (http://www.spi.hr/EnglishaboutLC/tabid/470/Default.aspx)
• Partition Management—This tool uses the Sliding Window technique to remove data from one partition and place it into a staging table, and creates a staging table that’s used to load data into partitions (www.codeplex.com/SQLPartitionMgmt)
• Quest Software’s Toad for SQL Server Freeware—Toad for SQL Server Freeware offers a code and data editor, a data grid for modifying tables, and a database browser that lets you view and manage database objects graphically (www.toadsoft.com/toadsqlserver/toad_sqlserver.htm)
• SortSQLFilesInProject—You can use this tool to sort the SQL files contained in an SSMS project or the packages in a SQL Server Integration Services (SSIS) project (www.sqldbatips.com/showarticle.asp?ID=78)
• SQLDBSize 1.0—This tool graphically displays size information about your databases, tables, indexes, and more (www.sqldbtools.com/Tools.aspx?ProductId=3)
• SQL Management Studio Snapshot Add-In—This utility adds the Create Snapshot option to context menus in SSMS, enabling you to create a database snapshot (sqlblogcasts.com/blogs/seanprice/archive/2007/07/15/sql-management-studio-snapshot-add-in.aspx)
• SQLRecon—SQLRecon finds all of your SQL Server and Microsoft SQL Server Desktop Engine (MSDE) systems by performing active and passive scans on your network (www.specialopssecurity.com/labs/sqlrecon)
• SQL Server 2008 Extended Events Manager—This tool lets you create, delete, modify, start, and stop Extended Events sessions and metadata files in SQL Server 2008 (www.codeplex.com/ExtendedEventManager)
• SQL Server Automation Scripts—This tool provides SQL Server Agent jobs that you can use to perform automated maintenance tasks (download.microsoft.com/download/4/0/C/40CBAD9A-D990-450B-8785-F288CEBFB448/AITScripts.zip)
• SQL Server Database Copy Tool—With this utility, you can copy databases from one SQL Server system to another (dbcopytool.codeplex.com)
• SQL Server Express Utility—You can use this command-line utility to perform various SQL Server maintenance tasks (www.microsoft.com/downloads/details.aspx?FamilyID=fa87e828-173f-472e-a85c-27ed01cf6b02)
• SQL Server Health and History Tool (SQLH2) Performance Collector—This tool collects performance counter data from your SQL Server systems and stores it in a repository (www.microsoft.com/downloads/details.aspx?familyid=64983AF0-7902-427E-9B41-7C2E8FDCC140)
• SQL Server Health and History Tool (SQLH2) Reports—Prevent performance problems by using this tool to collect and store change and trending information (www.microsoft.com/downloads/details.aspx?familyid=A4B837C7-A1FA-4F25-840B-FEF15E917F18)
• YourSQLDba—You can use this T-SQL stored procedure to automate routine database maintenance tasks such as database and log backups and consistency checks (www.grics.qc.ca/YourSqlDba)
Backup and Recovery
• Idera’s SQL safe Freeware Edition—This utility lets you back up and compress multiple databases of any size and offers a scriptable interface (www.idera.com/Products/Free-Tools/SQL-safe-Freeware-Edition)
• AppAssure’s DocRetreiver Lite—This free tool lets you restore individual documents back to a SharePoint farm from a SQL Server backup (www.appassure.com/applications/free-tools/docretriever-lite-for-sharepoint/)
Best Practice and Compliance
• Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0—You can use this tool to verify whether your SQL Server 2000 systems are managed and operated according to Microsoft’s SQL Server best practices (www.microsoft.com/downloads/details.aspx?FamilyID=b352eb1f-d3ca-44ee-893e-9e07339c1f22)
• Microsoft SQL Server 2005 Assessment Configuration Pack for Sarbanes-Oxley Act (SOX)—This configuration pack audits SQL Server systems to see if they meet the SOX configuration requirements (www.microsoft.com/downloads/details.aspx?familyid=976df931-a3cf-40e3-802e-3281b1451835)
• SQL Server 2005 Best Practices Analyzer—This utility checks your databases for potential problems by using SQL Server 2005 best practices configurations (www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63)
• SQL Server FineBuild—FineBuild lets you install SQL Server 2008 and 2005 with one click, and provides best practice configurations as well (www.codeplex.com/SQLServerFineBuild)

Free tools for business intelligence and DB admins:

 • BIDS Helper—This Visual Studio .NET add-in enhances SQL Server 2008 and 2005’s Business Intelligence Development Studio (BIDS) (www.codeplex.com/bidshelper)
• DTLoggedExec—With DTLoggedExec, each step executed by SSIS packages is logged, which makes configuring and troubleshooting SSIS packages fast and easy (dtloggedexec.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=21219)
• Microsoft SQL Server 2005 Data Mining Add-ins for Microsoft Office 2007—These add-ins let you use SQL Server 2005’s predictive analysis features in Microsoft Excel 2007 and Microsoft Visio 2007 (www.microsoft.com/downloads/details.aspx?FamilyID=7c76e8df-8674-4c3b-a99b-55b17f3c4c51)
• Microsoft SQL Server Metadata-Driven ETL Management Studio (MDDE)—You can use MDDE to quickly generate SSIS packages (sqlservermddestudio.codeplex.com)
• Reporting Services Scripter—This .NET Windows Forms application offers the ability to easily move SQL Server Reporting Services (SSRS) reports and catalog item properties between multiple servers (www.sqldbatips.com/showarticle.asp?ID=62)
• RSBuild—You can use this SSRS deployment tool to execute database scripts with ADO.NET and publish reports and data sources to SSRS (rsbuild.codeplex.com)
• SQL Nexus—This front-end visualization tool is used to load and analyze performance data that was collected by SQLDiag and PSSDiag (www.codeplex.com/sqlnexus)
Change Management
• SQLDBSearch 2.0—With SQLDBSearch 2.0, you can find objects that could be affected by a soon-to-be implemented database change (www.sqldbtools.com/Tools.aspx?ProductId=2)
• Tarantino Database Change Management—This utility makes it easier to apply database schema and database changes to multiple SQL Server systems (code.google.com/p/tarantino/wiki/DatabaseChangeManagement)
Code Formatters
• ApexSQL Refactor—This SQL Server Management Studio add-in offers 43 customizable options for formatting your SQL code and lets you preview your changes before you save them (www.apexsql.com/sql_tools_refactor.asp)
• Instant SQL Formatter—This tool not only reformats your SQL code but also turns your formatted SQL code into HTML code and translates your SQL code into other coding languages such as C# and Java (www.wangz.net/gsqlparser/sqlpp/sqlformat.htm)
• Manoli C# Code Format—You can use this tool to format code to the HTML 4.01 specification for a website or blog (www.manoli.net/csharpformat)
• Simple-Talk Code Prettifier—This tool converts your ASCII source code into HTML code so that you can paste it into an online element such as a blog or website (www.simple-talk.com/prettifier/default.php)
• SQLinForm—With this SQL code formatter, SQL statements aren’t transferred over the Internet and there’s nothing to install (www.sqlinform.com)
Database Comparison
• CompareData—This utility uses ODBC drivers to compare and synchronize data between two SQL Server databases (www.zidsoft.com)
 • Open DBDiff—This database schema comparison tool provides you with a report showing the differences between two database schemas and includes a synchronization script that you can use to update the databases (www.codeplex.com/OpenDBiff)
• SQL Accord Community Edition for Microsoft SQL Server—This tool offers schema comparison features via an interactive GUI (www.sqleffects.com/Articles/Product/sqlAccordInfo/aboutSqlAccordCommunityEd.html)
• SQLDBDiff—You can use this tool to compare and synchronize SQL Server 2005 and 2000 database schemas (www.sqldbtools.com)
• TableDiff.exe GUI—With TableDiff.exe GUI, you no longer have to run the TableDiff.exe table comparison tool (found in SQL Server 2005) from the command line (weblogs.sqlteam.com/mladenp/archive/2007/08/10/60279.aspx)
Database Security
• Devenius SQL Encryption Assistant Basic Edition—You can use this SQL Server Management Studio add-in to manage your encryption keys (www.devenius.com/sql_server_tools/sql_encryption_assistant/SEA.aspx)
• Idera’s SQL permissions—You can use this tool to move or copy SQL Server login information and permissions setting between servers (www.idera.com/Products/Free-Tools/SQL-permissions)
• Lockdown.sql—Your SQL Server systems are locked down to the most secure configuration, letting you deploy systems that have only required functionality enabled (www.sqlsecurity.com/Tools/LockdownScript/tabid/64/Default.aspx)
• Microsoft Baseline Security Analyzer 2.1—This tool performs vulnerability assessment checks on your SQL Server systems to verify their security (technet.microsoft.com/en-us/security/cc184923.aspx)
• SQLPing 3.0—SQLPing scans your network to find new and unprotected SQL Server and MSDE instances (www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx)
Development
• DbFit—You can use DbFit to run Framework for Integrated Testing (FIT) tests directly against databases, making it easier to perform integration testing on databases (www.fitnesse.info/dbfit)
• ScriptDB—This application scripts database objects using SQL Server Management Objects (SMO) (www.codeplex.com/ScriptDB)
• SpatialViewer—This utility lets you view spatial data easily (www.codeplex.com/SpatialViewer)
• SQL Server PowerShell Extensions (SQLPSX)—This tool helps make working with SMO from PowerShell easier by offering PowerShell functions around SMO objects (sqlpsx.codeplex.com)
• SQL Spatial Tools—SQL Spatial Tools includes two tools: Shape2SQL, which you use to upload ESRI files to SQL Server Spatial, and SQLSpatial Query Tool, which queries SQL Server 2008 and displays the geometry output via a Windows Presentation Foundation map (www.sharpgis.net/page/SQL-Server-2008-Spatial-Tools.aspx)
• SQLCLRProject—With SQLCLRProject, you can use MSBUILD tasks to deploy .NET assemblies to SQL Server 2008 and 2005 (www.codeplex.com/sqlclrproject)
• SQLIO Disk Subsystem Benchmark Tool—With this tool, you could find out what the I/O capacity of a SQL Server configuration is (www.microsoft.com/downloads/details.aspx?familyid=9a8b005b-84e4-4f24-8d65-cb53442d9e19)
• SQLScripter—This command-line utility automates schema generation and scripts SQL Server 2005 databases (www.valinor.co.il/tools-sqlscripter.asp)
• SQLsharp—This free tool offers a CLR library of useful functions that you can use to write better SQL code in SQL Server 2008/2005 (www.sqlsharp.com)
• SSMS Tools Pack—This suite of tools enhances SSMS’s functionality with features such as a query template tool and a CRUD procedure-generation tool (www.ssmstoolspack.com)
• Stored Procedure Generator—This tool generates the stored procedures necessary to access tables in SQL Server (spgen.codeplex.com)
• tsqlt—As a unit testing framework for T-SQL, tsqlt helps isolate functionality to be tested (sourceforge.net/projects/tsqlt)

Free tools for DB job management or sysadmin performance monitoring:

Stress test tool, Heavy Load free tool from JAM software: https://www.jam-software.de

• Idera’s SQL job manager—With SQL job manager, you can view and manage SQL Server Agent jobs across multiple SQL Server systems from a central administration console (www.idera.com/Products/Free-Tools/SQL-job-manager)
• JAMS Monitor—With JAMS Monitor, you can manage Windows Task Scheduler and SQL Server jobs and ensure that they’re running successfully from a centralized management console (www.mvpsi.com/FreeMonitor.aspx)
Log Management
• Log Parser 2.2—You can use this tool to access text-based data (e.g., log files, XML files), as well as data sources in Windows (e.g., Active Directory, the event log) (www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07)
• PSSDIAG Data Collection Utility—This diagnostic data collector can be used to gather logs and data files (www.microsoft.com/downloads/details.aspx?familyid=5564386A-28C2-4483-8293-76FFF67B9EB3)
Performance and Monitoring
• ClearTrace—You can use this graphical display tool to summarize query performance data from server-side trace and SQL Server Profiler sessions (www.cleardata.biz/cleartrace/default.aspx)
• DMVStats 1.01—You can use this tool to collect, analyze, and report on performance data from SQL Server 2005 Dynamic Management Views (DMVs) (www.codeplex.com/sqldmvstats)
• Idera’s SQL check—This tool runs as a secure screensaver and monitors your SQL Server systems, as well as offers a look at processes, error logs, and SQL Server Agent jobs (www.idera.com/Products/Free-Tools/SQL-check)
• Internals Viewer for SQL Server—You can use this tool to see how data is allocated, organized, and stored in the SQL Server storage engine (internalsviewer.codeplex.com)
• MDX Script Performance Analyser—You can use this tool to identify which statements in your SQL Server Analysis Services (SSAS) MDX script are negatively affecting MDX query performance (www.codeplex.com/mdxscriptperf)
• Performance Analysis of Logs (PAL) Tool—PAL automates the collection and analysis of performance counters in the Performance Monitor Counter log (www.codeplex.com/PAL)
• Quest Discovery Wizard for SQL Server (beta)—You can use this tool to monitor your network for changes and find all your SQL Server instances (www.quest.com/discovery-wizard-for-sql-server)
• RML Utilities for SQL Server (x86)—With this tool, you can monitor SQL Server performance by processing SQL Server trace files and viewing reports, and test how a specific change will affect your SQL Server systems (www.microsoft.com/downloads/details.aspx?FamilyId=7EDFA95A-A32F-440F-A3A8-5160C8DBE926)
• SQLIOSim—SQLIOSim replicates SQL Server’s types and patterns of I/O requests on a disk subsystem and verifies data similarly to how SQL Server would in a production environment (blogs.msdn.com/sqlserverstorageengine/archive/2006/10/06/SQLIOSim-available-for-download.aspx)
• SQLQueryStress—This tool is helpful when performance stress testing T-SQL queries because it collects data about whether your queries will run under load, and each query’s resource usage (www.datamanipulation.net/sqlquerystress)
• SQL Server 2005 Performance Dashboard Reports—These reports help you quickly identify performance bottlenecks and provide the information necessary to resolve them (www.microsoft.com/downloads/details.aspx?FamilyId=1d3a4a0d-7e0c-4730-8204-e419218c1efc)
• SQL Server Cache Manager—Find out what is being stored in the SQL Server cache and if the cache is being used efficiently with this free tool (www.codeplex.com/sqlservercache)
• SQL Server DBA Dashboard—This tool uses graphs and reports, which are integrated with SSMS, to identify what is using your SQL Server systems’ resources (www.sqlserverexamples.com/v2/Products/tabid/76/Default.aspx)
Prevent SQL Server Injection Attacks
• bsqlbf-v2—This Perl script lets you extract data from blind SQL injections (code.google.com/p/bsqlbf-v2)
• HP Scrawlr—This scanner tool crawls your web pages, checking for SQL injection vulnerabilities (www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx)
• Microsoft Source Code Analyzer for SQL Injection—You can use this tool to find SQL injection vulnerabilities in ASP code (support.microsoft.com/kb/954476)
• URLScan—URLScan restricts the type of HTTP requests Microsoft IIS will process (learn.iis.net/page.aspx/473/using-urlscan)
Web Administration
• SQL Server Hosting Toolkit—The SQL Server Hosting Toolkit offers two tools: the Database Publishing Wizard, which you can use to upload your databases to a hosting environment, and the Database Publishing Services, which offers ASP.NET web services that can make it easier for you to deploy databases (sqlhost.codeplex.com)
• SQL Server Web Tools—This web-based administration tool lets you perform management tasks, including administering accounts, managing databases and tables, and creating and running queries and stored procedures (sqlwebtools.codeplex.com)
• SQL Web Data Administrator—This SQL Server management tool lets you create and edit databases, export and import database schema and data, and more (www.codeplex.com/SqlWebAdmin)
Who Says Nothing in Life Is Free?
Although this list includes dozens of free SQL Server tools, it doesn’t include them all. If you know about a free SQL Server utility that’s not on this list, we want to hear about it: You can email me at mkeller@sqlmag.com. Also, please share your feedback about the tools included in this list in the Tool Time forum at www.sqlmag.com/forums. For even more free tools, see the sidebars “Free SQL Server Projects and Samples” and “Free PowerShell Scripts for SQL Server.”

Introduction:

In summary:

  • Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers.
  • WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows.
  • WEF supports mutual authentication and encryption through Kerberos (in a domain), or can be extended through the usage of TLS (additional authentication or for non-domain-joined machines).
  • WEF has a rich XML-based language to control which event IDs are submitted, suppress noisy events, batch events together, and configure submission frequency. Subscription XML supports a subset of XPath, which simplifies the process of writing expressions to select the events you’re interested in.

A WEF connection requires a few basic components:

  • Group Policy Objects (GPOs) to control security auditing and event logging.
  • One or more servers with a configured Windows Event Log Collector service (often referred to as the “WEF Server” or “WEF Collector”).
  • Functional Kerberos for all endpoints (domain) or a valid TLS certificate (non-domain) for the Event Log Collector servers.
  • Windows Remote Management (WinRM) enabled on all workstations and servers that will forward events.
  • Firewall rules permitting WinRM connectivity between the devices.
  • GPOs to specify the URL of the WEF subscription manager(s).
  • One or more event log subscriptions. A subscription is a collection of events based on Event IDs or other criteria to tell the endpoints which event logs to forward.

The following actions occur upon first receiving appropriate GPOs on a workstation:

  • The workstation configures security auditing and starts writing to the local event log.
  • The workstation connects to the subscription manager(s) using WinRM, authenticated either via Kerberos or TLS. In both cases, transport-layer encryption is applied.
  • The workstation registers itself in the registry of the Event Log Collector, and downloads a list of all relevant WEF Subscriptions.
  • The workstation periodically sends events to the Event Log Collector(s) as defined in the subscription files. Additionally, the workstation connects on a periodic heartbeat.

As new devices are added to the domain and receive the appropriate security logging and WEF subscription GPOs, they will automatically begin forwarding events, reducing the administrative burden of ensuring log coverage and quality.

Event forwarding (also called SUBSCRIPTIONS) is a mean to send Windows event log entries from source computers to a collector. A same computer can be a collector or a source.

There are two methods available to complete this challenge – collector initiated (also called PULL) and source initiated (also called PUSH):

Parameter Collector Initiated (PULL) Source Initiated (PUSH)
Socket direction (for firewall rules) Collector –> Source Collector –> Source
Initiating machine Collector Source
Authentication Type Kerberos Kerberos / Certificates

This technology uses WinRM (HTTP protocol on port TCP 5985 with WinRM 2.0) . Be careful with the Window firewall and configure it to allow WinRM incoming requests.

WinRM is the ‘server’ component and WinRS is the ‘client’ that can remotely manage the machine with WinRM configured.

Differences you should be aware of:

WinRM 1.1 (obsolete)
Vista and Server 2008
Port 80 for HTTP and Port 443 for HTTPS

WinRM 2.0
Windows 7 and Server 2008 R2, 2012 R2, windows 10, Server 2016 …
Port 5985 for HTTP and Port 5986 for HTTPS

Tool:

https://www.logbinder.com/

Reference articles for WEF and Event forwarding:

Deploying WinRM using Group Policy: http://www.vkernel.ro/blog/how-to-enable-winrm-http-via-group-policy

Microsoft official document well documented:

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4

http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx

Fresh How-to from Intrusion detection perspective:

https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f

How-to easy to follow from Intrusion detection perspective:

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

https://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

Basic configuration:

on source computers and collector computer:  winrm quickconfig     and add the collector computer account to the local administrators group

To verify a listener has been created type winrm enumerate winrm/config/listener

WinRM Client Setup

Just to round off this quick introduction to WinRM, to delete a listener use winrm delete winrm/config/listener?address=*+Transport=HTTP

on collector computer: wecutil qc. Add the computer account of the collector computer to the Event Log Readers Group on each of the source computers

on collector computer: create a new subscription from event viewer (follow the wizard)

WinRS: WinRS (Windows Remote Shell) is the client that connects to a WinRM configured machine (as seen in the first part of this post). WinRS is pretty handy, you’ve probably used PSTools or SC for similar things in the past. Here are a few examples of what you do.

Connecting to a remote shell
winrs -r:http://hostnameofclient "cmd"
Stop / Starting remote service
winrs -r:http://hostnameofclient "net start/stop spooler"
Do a Dir on the C drive
winrs -r:http://hostnameofclient "dir c:\"

WinRS

Forwarded Event Logs:

This is configured using ‘subscribers’, which connect to WinRM enabled machines.

To configure these subscribers head over to event viewer, right click on forwarded events and select properties. Select the 2nd tab along subscriptions and press create.

This is where you’ll select the WinRM enabled machine and choose which events you would like forwarded.

Subscriptions

Right click the subscription and select show runtime status.

Error 0x80338126

Now it took me a minute or two to figure this one out. Was it a firewall issue (this gives the same error code), did I miss some configuration steps? Well no, it was something a lot more basic than that. Remember earlier on we were talking about the port changes in WinRM 1.1 to 2.0?

That’s right, I was using server 2008 R2 to set the subscriptions which automatically sets the port to 5985. The client I configured initially was server 2008 so uses version 1.1. If you right click the subscription and click properties -> advanced you’ll be able to see this. I changed this to port 80 and checked the runtime status again.

[DC2.domain.local] – Error – Last retry time: 03/02/2011 20:20:30. Code (0x5): Access is denied. Next retry time: 03/02/2011 20:25:30.”

Head back to the advanced settings and change the user account from machine account to a user with administrative rights. After making these changes the forwarded events started to flow.

Subscriptions Advanced

Additional considerations:

In a workgroup environment, you can follow the same basic procedure described above to configure computers to forward and collect events. However, there are some additional steps and considerations for workgroups:

  • You can only use Normal mode (Pull) subscriptions
  • You must add a Windows Firewall exception for Remote Event Log Management on each source computer.
  • You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.
  • Type winrm set winrm/config/client @{TrustedHosts="<sources>"} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once. Where <sources> appears in the command, substitute a list of the names of all of the participating source computers in the workgroup. Separate the names by commas. Alternatively, you can use wildcards to match the names of all the source computers. For example, if you want to configure a set of source computers, each with a name that begins with “msft”, you could type this command winrm set winrm/config/client @{TrustedHosts="msft*"} on the collector computer. To learn more about this command, type winrm help config.

If you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443. For a subscription that uses Normal (PULL mode) delivery optimization, you must set the exception only on the source computers. For a subscription that uses either Minimize Bandwidth or Minimize Latency (PUSH mode) delivery optimizations, you must set the exception on both the source and collector computers.

If you intend to specify a user account by using the Specific User option in Advanced Subscription Settings when creating the subscription, you must ensure that account is a member of the local Administrators group on each of the source computers in step 4 instead of adding the machine account of the collector computer. Alternatively, you can use the Windows Event Log command-line utility to grant an account access to individual logs. To learn more about this command-line utility, type wevtutil sl -? at a command prompt.

 

 

Video:

Tutorials:

1st: Event forwarding between computers in a Domain

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-1)—How-to-Configure-Event-Forwarding-in-AD-DS-Domains.aspx

2nd: Event forwarding between computers in workgroup

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-2)—How-to-Troubleshoot-Event-Forwarding—How-to-Configure-Event-Forwarding-in-Workgroup-Environments.aspx

Additional article talking about Event forwarding too:

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html