Category: Microsoft





Office 365 roadmap:

Microsoft cloud platform:

Windows 10 roadmap:


IT Self-trainings

IT pro TV:

Microsoft virtual academy:

Microsoft channel9:





Microsoft IGNITE 2016

Microsoft Ignite 2016 conference – annoucements:

  • Office avec Tap & Quick Start
  • Yammer integrated with Office 365 Groups
  • SharePoint (SharePoint teamsite, Synchro des librairies, App Android & Windows)
  • Skype Entreprise on Mac
  • Transcription instantanée sur Skype Broadcast
  • PSTN Calling en preview en France

Office at Ignite :

Other annouces regarding Office 365:

Office 365

Connect to expertise and content with new people experiences throughout Office 365

Applying intelligence to security and compliance in Office 365


Skype Entreprise




SharePoint and OneDrive

  • Major OneDrive updates at Ignite 2016 include SharePoint Online sync preview
  • Announcing Feature Pack 1 for SharePoint Server 2016—cloud-born and future-proof
  • Enhanced conditional access controls, encryption controls and site classification in SharePoint and OneDrive
  • Enriching the mobile and intelligent intranet with team news, apps for Android and Windows and more

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication and firewalls, this document tells you how to securely setup an environment where you can natively consolidate and monitor event log based entries. In addition, the NSA goes onto cover a number of areas that should be monitored – complete with event IDs:

Event forwarding guidance:

Malware archeology cheat sheets:

Machine-specific issues – which can be indications of malicious activity

  • Application Crashes
  • System or Service Failures
  • Kernel and Device Signing
  • The Windows Firewall

Administrator Activity – specific actions performed that may be suspect

  • Clearing of Event Logs
  • Software and Service Installation
  • Remote Desktop Logon
  • Account Usage

The bad news is you’re still left to sort out a TON of event log detail and interpret whether the entries are a problem or not.

Additionally: Changes to Group Policy only show up in the events as a change to the policy, but lack detail on exactly what was changed within the Group Policy.

To truly have a grasp on whether you have an “adversary” within or not and, if so, what that adversary is doing, you’re going to require a solution that not only collects events, but can correlate them into something intelligent. Your solution should:

  • Consolidate events
  • Focus on the events you are concerned about
  • Provide comprehensive detail about the changes to your systems, security and data

Three software solutions:

  • Netwrix Auditor for AD
  • Dell change auditor for AD
  • IBM QRadar (SIEM)

Splunk (SIEM)  : Splunk Windows Auditing using the NSA guide:

MS white-paper best practices to secure AD:

MS Advanced threat analytics (MS ATA):

Windows Event IDs useful for intrusion detection:

Windows Vista events and above

Category Event ID Description
User Account Changes 4720 Created
4722 Enabled
4723 User changed own password
4724 Privileged User changed this user’s password
4725 Disabled
4726 Deleted
4738 Changed
4740 Locked out
4767 Unlocked
4781 Name change
Domain Controller Authentication Events 4768 TGT was requested
4771 Kerberos pre-auth failed
4772 TGT request failed
Logon Session Events 4624 Successful logon
4647 User initiated logoff
4625 Logon failure
4776 NTLM logon failed
4778 Remote desktop session reconnected
4779 Remote desktop session disconnected
4800 Workstation locked
4801 Workstation unlocked
Domain Group Policy 4739 Domain GPO changed
5136 GPO changed
5137 GPO created
5141 GPO deleted
Security 1102 Event log cleared
Software and Service Installation 6 New Kernel Filter Driver
7045 New Windows Service
1022, 1033 New MSI File Installed
903, 904 New Application Installation
905, 906 Updated Application
907, 908 Removed Application
4688 New Process Created
4697 New Service Installed
4698 New Scheduled Task
External Media Detection 43 New Device Information
400 New Mass Storage Installation
410 New Mass Storage Installation
Group Changes Created Changed Deleted Members
Added Removed
Security Local 4731 4737 4734 4732 4733
Global 4727 4735 4730 4728 4729
Universal 4754 4755 4758 4756 4757
Distribution Local 4744 4745 4748 4746 4747
Global 4749 4750 4753 4751 4752
Universal 4759 4760 4763 4761 4762

A well-known vulnerability within Windows can map an anonymous connection (or null session) to a hidden share called IPC$ (which stands for interprocess communication). This hack method can be used to

  • Gather Windows host configuration information, such as user IDs and share names.

  • Edit parts of the remote computer’s registry.

Although Windows Server 2008, Windows XP, Windows 7, and Windows 8 don’t allow null session connections by default, Windows 2000 Server does — and (sadly) plenty of those systems are still around to cause problems on most networks.

Map a null session

Follow these steps for each Windows computer to which you want to map a null session:

  1. Format the basic net command, like this:

    net use \\host_name_or_IP_address\ipc$ "" "/user:"

    The net command to map null sessions requires these parameters:

    • net followed by the use command

    • The IP address or hostname of the system to which you want to map a null connection

    • A blank password and username

  2. Press Enter to make the connection.

    After you map the null session, you should see the message The command completed successfully.


To confirm that the sessions are mapped, enter this command at the command prompt:

net use

You should see the mappings to the IPC$ share on each computer to which you’re connected.

With a null session connection, you can use other utilities to gather critical Windows information remotely. Dozens of tools can gather this type of information.

You — like a hacker — can take the output of these enumeration programs and attempt to

  • Crack the passwords of the users found.

  • Map drives to the network shares.

You can use the following applications for system enumeration against server versions of Windows prior to Server 2003 as well as Windows XP.

net view

The net view command shows shares that the Windows host has available. You can use the output of this program to see information that the server is advertising to the world and what can be done with it, including the following:

  • Share information that a hacker can use to attack your systems, such as mapping drives and cracking share passwords.

  • Share permissions that might need to be removed, such as the permission for the Everyone group, to at least see the share on older Windows 2000–based systems.


Configuration and user information

Winfo and DumpSec can gather useful information about users and configurations, such as

  • Windows domain to which the system belongs

  • Security policy settings

  • Local usernames

  • Drive shares

Your preference might depend on whether you like graphical interfaces or a command line. Winfo is a command-line tool. The following is an abbreviated version of Winfo’s output of a Windows NT server, but you can collect the same information from other Windows systems:

Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
 - OS version: 4.0
 - Time between end of logon time and forced logoff: No forced logoff
 - Maximum password age: 42 days
 - Minimum password age: 0 days
 - Password history length: 0 passwords
 - Minimum password length: 0 characters
 * Administrator
 (This account is the built-in administrator account)
 * doctorx
 * Guest
 (This account is the built-in guest account)
 * kbeaver
 * nikki
 - Type: Special share reserved for IPC or administrative share
 * IPC$
 - Type: Unknown
 * Here2Bhacked
 - Type: Disk drive
 * C$
 - Type: Special share reserved for IPC or administrative share
 * Finance
 - Type: Disk drive
 * HR
 - Type: Disk drive

This information cannot be gleaned from a default installation of Windows Server 2003, Windows XP, Windows 7, or Windows 8.

You can peruse the output of such tools for user IDs that don’t belong on your system, such as

  • Ex-employee accounts that haven’t been disabled

  • Potential backdoor accounts that a hacker might have created


The NetUsers tool can show who has logged in to a remote Windows computer. You can see such information as

  • Abused account privileges

  • Users currently logged into the system


This information can help you track, for auditing purposes, who’s logging in to a system. Unfortunately, this information can be useful for hackers when they’re trying to figure out what user IDs are available to crack.

Countermeasures against null session hacks

If it makes good business sense and the timing is right, upgrade to the more secure Windows Server 2012 or Windows 7. They don’t have the vulnerabilities described in the following list.

You can easily prevent null session connection hacks by implementing one or more of the following security measures:

  • Block NetBIOS on your Windows server by preventing these TCP ports from passing through your network firewall or personal firewall:

    • 139 (NetBIOS sessions services)

    • 445 (runs SMB over TCP/IP without NetBIOS)

  • Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine’s network connection for those systems that don’t need it.

  • Restrict anonymous connections to the system. For Windows NT and Windows 2000 systems, you can set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous to a DWORD value as follows:

    • None: This is the default setting.

    • Rely on Default Permissions (Setting 0): This setting allows the default null session connections.

    • Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This is the medium security level setting. This setting still allows null sessions to be mapped to IPC$, enabling such tools as Walksam to garner information from the system.

    • No Access without Explicit Anonymous Permissions (Setting 2): This high security setting prevents null session connections and system enumeration.

Microsoft Knowledge Base Article 246261 covers the caveats of using the high security setting for RestrictAnonymous. It’s available on the web at;en-us;246261.


FIM and MIM resources

Web resources:

Identity Manager Hybrid Reporting in Azure:

Out-of-the-box FIM 2010 R2 Reports:

FIM/MIM connectors (free):


Powershell connector:






How to create and deploy a client certificate for MAC:

Transforming .cer to .pem or vice-versa:

using openssl to convert a certificate format to another format:

Exporting a private key:



Using Powershell:

Using SCOM:






When Kerberos was chosen to be AD’s authentication protocol in the mid- to late-1990s, the World Wide Web was a shadow of what the Internet offers today. Although the Kerberos ticket contained an encrypted password hash that could be attacked, there wasn’t any substantial requirement to provide support outside the highly protected corporate firewall.

The rise of cloud services is changing many aspects of our lives, and these services don’t support external authentication via Kerberos because of that password vulnerability. If a web service uses standards, it handles claims-based authentication using SAML 2.0 or, increasingly, OAuth 2.0 and OpenID Connect. Microsoft’s own Azure Active Directory doesn’t use Kerberos; it supports SAML and OAuth 2.0 as its authentication protocols.


Comparing oauth with ws-fed and SAML:

Wikipedia Article: OAuth

OAuth in details

OAuth is an authorization method to provide access to resources over the HTTP protocol.


OAuth2 can be used for authorization of various apps (server/browser/mobile)and desktop applications or manual user access.

The general way it works is allowing an application to have an access token (which represents a user’s permission for the client to access their data) which it can use to authenticate a request to an API endpoint.

Oauth 2 flow

A sample OAuth flow: Facebook

OAuth versions

There are two versions of OAuth authorization OAuth 1 (using HMAC-SHA signature strings) and OAuth 2 (using tokens over HTTPS).

Note: SoapUI currently only offers Oauth2 authorization.

OAuth 2 terms

Conceptually, OAuth2 haas a few components interacting: The resource server (the API server) contains the resources to be accessed. Access tokens are provided by the authorization server (which can be the same as the API server). The tokens are provided by the resource owner (the user) when accessing the resources. Similarly, an application using the credentials, and the API is called client.

End Points

The token Endpoint is used by clients to get an access token (and optionally refresh token) from the authorization server.

Note: When using implicit grant, this endpoint is not used. Instead the access token is sent from the authorization endpoint directly.


The two token types involved in OAuth 2 authentication are Access Token and Refresh Token.

Access Token

The access token is used to for authentication and authorization to get access to the resources from the resource server.

Refresh Token

The refresh token normally is sent together with the access token.

The refresh token is used to get a new access token, when the old one expires. Instead of the normal grant type, the client provides the refresh token, and receives a new access token.

Using refresh tokens allows for having a short expiration time for access token to the resource server, and a long expiration time for access to the authorization server.

Token Types

Access tokens have a type, which defines how they are constructed.

Bearer Tokens

The bearer tokens use HTTPS security, and the request is not signed or encrypted. Possession of the bearer token is considered authentication.

MAC Tokens

More secure than bearer tokens, MAC tokens are similar to signatures, in that they provide a way to have (partial) cryptographic verification of the request.


Methods to get access tokens from the authorization server are called grants. The same method used to request a token is also used by the resource server to validate a token.

The four basic grant types are Authorization Code, Implicit, Resource Owner Credentials and Client Credentials.

Note: SoapUI currently only offers the grant types Code Grant and Implicit.

Authorization Code

With authorization_code grant, the resource owner allows access. An authorization code is then sent to the client via browser redirect, and the authorization code is used in the background to get an access token. Optionally, a refresh token is also sent.


The implicit grant is similar to authorization code, but instead of using the code as an intermediary, the access token is sent directly through a browser redirect.

Not yet in SoapUI Resource Owner Credentials

The password/Resource Owner Credentials grant takes the uses the resource owner password to obtain the access token. Optionally, a refresh token is also sent. The password is then discarded.

Not yet in SoapUI Client Credentials

In client_credentials grant mode, the client’s credentials are used instead of the resource owner’s. The access token is associated either with the client itself, or delegated authorization from a resource owner.

Grant Type Extensions

OAuth has a mechanism for extending grant types as a bridge to other authorization frameworks, or for specialized clients.

Extension grants are used by clients through an absolute URI together with a grant_type parameter and by adding any additional parameters necessary to the end point.


In OAuth 2, the scope is a way to restrict access to specified areas. A common way of handling it is with a comma-separated or space-delimited list of strings, where each string indicates an areas of access.


ADFS 2016 and OAuth/OpenID connect: