Category: Core Server

 Obviously, you need to find a hack before you can take measures to stop the attack and recover from it. Where do you begin? Every hack is unique, but you should always check certain places first. Here are the key locations in which to start your search.

Registry subkeys. If you suspect that a particular machine has been hacked, check the Run subkeys in that machine’s registry first. Look for any unfamiliar programs that load from these subkeys. Not only do attackers favor the Run subkeys as a launching point for rogue programs, but intruders can launch viruses from those subkeys as well. The subkeys apply to Windows Server 2003, Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. The specific subkeys to check are:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

If you’re running Windows 2003, XP, Win2K, or NT systems, you also need to check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer\Run subkey.

Any program that you don’t recognize is a potential hacking program. Use Google or a similar search engine to search the Internet for the program name and determine whether the program is legitimate. You should be especially suspicious of programs that load from C:, C:\windows, and C:\windows\system32. I strongly suggest that you make a habit of regularly reviewing these registry keys so you become familiar with all the programs that are set to automatically load on your computers.

The following subkeys are less commonly used to launch hacking programs, but you need to check them also. These subkeys apply to all Windows OSs. If the default registry key contains a value other than “%1” %*, the program is most likely a hacker program.

  • HKEY_CLASSES_ROOT\batfile\shell\open\command
  • HKEY_CLASSES_ROOT\comfile\shell\open\command
  • HKEY_CLASSES_ROOT\exefile\shell\open\command
  • HKEY_CLASSES_ROOT\htafile\shell\open\command
  • HKEY_CLASSES_ROOT\piffile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafila\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command

Services. Review the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry subkey on all Windows OSs. The entries under this subkey specify the services that are defined on your computer. I suggest that you look directly in the registry instead of using Windows’ Services GUI because some services (e.g., Type 1 services) don’t show up in the Services GUI. Again, check for programs you don’t recognize. If possible, compare the Services subkey entries and values to a machine that you know is hack-free and investigate any differences you find.

Startup Folder. Check the C:\Documents and Settings\All Users\Start Menu\Programs\Startup and C:\Documents and Settings\user_name>\Start Menu\Programs\Startup folders for unfamiliar programs and hidden files. To display a list of hidden files in the current folder and any subfolders, at a command prompt, enter

dir /a h /s

Task Scheduler. Check the C:\windows\tasks folder for unauthorized tasks. Investigate any scheduled task that you don’t recognize.

Win.ini. Malicious users can load hacking programs automatically from C:\windows\win.ini. Look in the following section of the win.ini file:

\[windows\]                              Run=                              Load=

Any program listed after Run= or Load= will load automatically when Windows starts.

System.ini. Intruders can use shell commands to load programs in C:\windows\system.ini. Search system.ini for:

\[boot\]                              shell=explorer.exe

Any program listed after explorer.exe will load automatically when Windows starts.

Other locations exist from which a hacker can automatically load programs to launch when Windows starts. Sysinternals’ Autoruns freeware utility shows you which programs are configured to load during startup on NT and later systems. You can download the tool from

Open Ports and Unauthorized Users
After you’ve run your initial key-locations check for hacking activity, look for unexpected or suspicious open ports.


Here are my recommendations to secure your computers and your domain:

Configuration\Windows Setting\Security Settings leaf.

Rename the Local Administrator Account: If the bad guy doesn’t know the name of your Administrator account, he’ll have a much harder time hacking it.

Disable the Guest Account: One of the worst things you can do is to enable this account. It grants a fair amount of access on a Windows computer and has no password. Enough said!

Disable LM and NTLM v1: The LM (LAN Manager) and NTLMv1 authentication protocols have vulnerabilities. Force the use of NTLMv2 and Kerberos. By default, most Windows systems will accept all four protocols. Unless you have really old, unpatched systems (that is, more than 10 years old), there’s rarely a reason to use the older protocols.

Disable LM hash storage: LM password hashes are easily convertible to their plaintext password equivalents. Don’t allow Windows to store them on disk, where a hacker hash dump tool would find them.

Minimum password length: Your minimum password size should be 12 characters or more. Don’t bellyache if you only have 8-character passwords (the most common size I see). Windows passwords aren’t even close to secure until they are 12 characters long — and really you want 15 characters to be truly secure. Fifteen is a magic number in the Windows authentication world. Get there, and it closes all sorts of backdoors. Anything else is accepting unnecessary risk.

Maximum password age: Most passwords should not be used longer than 90 days. But if you go to 15 characters (or longer), one year is actually acceptable. Multiple public and private studies have proven that passwords of 12 characters or longer are relatively secure against password cracking to about that length of time.

Event logs: Enable your event logs for success and failure. As I’ve covered in this column many times, the vast majority of computer crime victims might have noticed the crime had they had their logs on and been looking.

Disable anonymous SID enumeration: SIDs (Security Identifiers) are numbers assigned to each user, group, and other security subject in Windows or Active Directory. In early OS versions, non-authenticated users could query these numbers to identify important users (such as Administrators) and groups, a fact hackers loved to exploit.

Don’t let the anonymous account reside in the everyone group: Both of these settings, when set incorrectly, allow an anonymous (or null) hacker far more access on a system than should be given. These have been disabled by default since 2000, and you should make sure they stay that way.

Enable User Account Control: Lastly, since Windows Vista, UAC has been the No. 1 protection tool for people browsing the Web. I find that many clients turn it off due to old information about application compatibility problems. Most of those problems have gone away, and many of the remaining ones can be solved with Microsoft’s free application compatibility troubleshooting utility. If you disable UAC, you’re far closer to Windows NT security than you are a modern operating system.

Here’s the best part: Each of these settings is set correctly by default in Windows Vista/Server 2008 (and later). Most of my Windows security books were all about the settings I wanted you to more securely harden. These days, my best advice is don’t muck it up. When I see problems, it’s because people go out of their way to weaken them, and that’s never good.


  • Accounts: Rename administrator account — not highly effective but another security layer nonetheless (define a new name)
  • Accounts: Rename guest account (define a new name)
  • Interactive logon: Do not display last user name (set to “Enabled”)
  • Interactive logon: Do not require last user name (set to “Disabled”)
  • Interactive logon: Message text for users attempting to log on (define banner text for users to see – something along the lines of This is a private and monitored system…you abuse this system, you’re toast — just run it by your lawyer first)
  • Interactive logon: Message title for users attempting to log on — something along the lines of WARNING!!!
  • Network access: Do not allow enumeration of SAM accounts and shares (set to “Enabled”)
  • Network access: Let “Everyone” permissions apply to anonymous users (set to “Disabled”)
  • Network security: Do no store LAN Manager hash value on next password change (set to “Enabled”)
  • Microsoft Network client: send unencrypted password to third-party SMB servers (Set to “Disabled”)
  • Network security: LAN Manager authentication level (set to “Send NTLMv2 responses only. Refuse LM & NTLM”)
  • Shutdown: Allow system to be shut down without having to log on (set to “Disabled”)
  • Shutdown: Clear virtual memory pagefile (set to “Enabled”)

How to improve Windows DNS security (hardening):


DNS logging (audit and analytics):

Secure DNS Deployment Guide:

DNS security part 1:

DNS security part 2:

Understand man in the middle attack:

External DNS Server Hardening:

Note: Root hints are used to let the DNS server know where to start the recursion process. Root hints normally point to the Internet root DNS servers so that you can resolve public host names using recursion.

However, if you don’t need to resolve public host names, you can edit the root hints file so that it only contains DNS servers on your intranet. By doing this, you can avoid sending private information about possible internal host names to public DNS servers.

Securing DNS with DNSSEC:


Mitigating DNS security weakness :

Low-Level Security

Low-level security is a standard DNS deployment without any security precautions configured. You should deploy this level of DNS security only in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity:

  • The DNS infrastructure of your organization is fully exposed to the Internet.
  • Standard DNS resolution is performed by all DNS servers in your network.
  • All DNS servers are configured with root hints pointing to the root servers for the Internet.
  • All DNS servers permit zone transfers to any server.
  • All DNS servers are configured to listen on all of their IP addresses.
  • Cache pollution prevention is disabled on all DNS servers.
  • Dynamic update is allowed for all DNS zones.
  • User Datagram Protocol (UDP) and TCP/IP port 53 is open on the firewall for your network for both source and destination addresses.

Medium-Level Security

Medium-level security uses the DNS security features that are available without running DNS servers on domain controllers and storing DNS zones in Active Directory:

  • The DNS infrastructure of your organization has limited exposure to the Internet.
  • All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
  • All DNS servers limit zone transfers to servers that are listed in the name server (NS) resource records in their zones.
  • DNS servers are configured to listen on specified IP addresses.
  • Cache pollution prevention is enabled on all DNS servers.
  • Dynamic update that is not secure is not allowed for any DNS zones.
  • Internal DNS servers communicate with external DNS servers through a firewall with a limited list of allowed source addresses and destination addresses.
  • External DNS servers in front of the firewall are configured with root hints that point to the root servers for the Internet.
  • All Internet name resolution is performed by using proxy servers and gateways.

High-Level Security

High-level security uses the same configuration as medium-level security. It also uses the security features that are available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required:

  • The DNS infrastructure of your organization has no Internet communication by means of internal DNS servers.
  • Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.
  • DNS servers that are configured with forwarders use internal DNS server IP addresses only.
  • All DNS servers limit zone transfers to specified IP addresses.
  • DNS servers are configured to listen on specified IP addresses.
  • Cache pollution prevention is enabled on all DNS servers.
  • Internal DNS servers are configured with root hints that point to the internal DNS servers that host the root zone for your internal namespace.
  • All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to allow only specific individuals to perform administrative tasks on the DNS server.
  • All DNS zones are stored in Active Directory. A DACL is configured to allow only specific individuals to create, delete, or modify DNS zones.
  • DACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data.
  • Secure dynamic update is configured for DNS zones except the top-level zones and root zones, which do not allow dynamic updates at all.

Windows XP/2003/2012 and greater support drive mapping back to the client workstation during a Terminal Services (Remote Desktop) session. This means you can copy files from the server to the client and vice versa.

Each volume (removable, fixed or network) available on the client workstation is mapped (A for drive A:, C for drive C:, X for drive X: etc) and the remote Terminal Services session inherits the user’s permission. So if you are logged on to the workstation as user A and you log in to the Terminal Services server as user B, the session will have access to the drives according to A’s permissions.

Drives can also be mapped like a network drive. The client drives are accessible as \\TSCLIENT\C. Note the client workstation’s machine name is not used, it is always referenced with the generic name TSCLIENT.

To display the files on TSCLIENT:


So you can map a drive as follows:


or simply use the Universal Naming Convention (UNC) syntax:




ROBOCOPY \\TSCLIENT\C\MYDIR D:\DOCUMENTS *.* /MIR /Z /ETA /r:1 /w:1 /Log+:d:\log.txt


Note: If you receive an “Attempt to access invalid address” error when using the UNC path \\tsclient\c, then the problem is on the client side.

Likely, the Windows firewall is turned on and blocking file shares, or “File and Printer Sharing For Microsoft Networks” is turned off in the NIC properties, the Server service is disabled, or simple file sharing is enabled on the client


Resources materials:

AD Security:

Mimikatz and Active Directory Kerberos Attacks:    /


Domain lockdown:

Microsoft resources:


Pass the Hash – isolation technique:



How to create and deploy a client certificate for MAC:

Transforming .cer to .pem or vice-versa:

using openssl to convert a certificate format to another format:

Exporting a private key:



Using Powershell:

Using SCOM:





Troubleshooting slow logons:

Logon process:

Tools for troubleshooting:

And powershell:

Analyze GPOs load time:


How to use Xperf, Xbootmgr, Procmon, WPA?

xperf;xbootmgr;xperfview comes from Windows ADK (Windows performance toolkit sub part). Procmon is a sysinternal tool.

Other interesting articles:


Windows Performance Analyzer (wpa.exe) youtube:

Xperf data collection tool:


For boot tracing:

xbootmgr -trace boot -traceFlags BASE+CSWITCH+POWER -resultPath C:\TEMP

with boot phases:
xbootmgr -trace boot -traceflags base+latency+dispatcher -stackwalk profile+cswitch+readythread 
       -notraceflagsinfilename -postbootdelay 120 -resultPath C:\TEMP

For shutdown tracing:

xbootmgr -trace shutdown -noPrepReboot -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Standby+Resume:

xbootmgr -trace standby -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Hibernate+Resume:

xbootmgr -trace hibernate -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

replace C:\TEMP with any temp directory on your machine as necessary to store the output files

Analyses of the boot trace:


To start create a summary xml file, run this command (replace the name with the name of your etl file)

xperf /tti -i boot_BASE+CSWITCH+POWER_1.etl -o summary_boot.xml -a boot

Analyses of the shutdown trace:

The shutdown is divided into this 3 parts:


To generate an XML summary of shutdown, use the -a shutdown action with Xperf:

xperf /tti -i shutdown_BASE+CSWITCH+DRIVERS+POWER_1.etl -o summary_shutdown.xml -a shutdown



How to list and to install Windows feature from Powershell ?

Import-Module servermanager

Get-WindowsFeature | Where-Object {$_.installed} | Format-Table -AutoSize

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name | Out-File d:\Temp\Features.txt

To install the features:

Add-WindowsFeature NetFx2-ServerCore
Add-WindowsFeature NetFx2-ServerCore-WOW64
Add-WindowsFeature NetFx3-ServerCore
Add-WindowsFeature NetFx3-ServerCore-WOW64

To automate a little bit more:

On the source server (master):

Get-WindowsFeature | Where-Object { $_.Installed } | Where-Object { $_.SubFeatures.Count -eq 0 } | Export-Clixml d:\temp\features.xml
Copy-Item d:\temp\features.xml \\remoteserver\d$\temp

On the remote server (target):

$file = Import-Clixml d:\temp\features.xml

$file | Add-WindowsFeature