Category: Security


Decommissioning WINS in a large company is not an easy task and side effects could be important:

  • Legacy applications
  • Legacy Windows systems, Samba-based servers
  • Old appliances, legacy SAN/NAS devices
  • Short names (and not FQDN) hardcoded in legacy or in-house developped applications
  • My Network Places (or Network Neighborhood) to quickly repopulate this browse list as the Browser service is still based on NetBIOS.
  • Any third-party network applications that leverage the browse list to find network resources users can attach to.
  • Microsoft DFS referrals (see below: The default behavior of DFS is to use NetBIOS names for all target servers in the namespace)
  • WINS could be necessary also for client vpn subnets (that need to resolve netBios names).

How to detect Wins traffic on a network using Firewall logs:

  • TCP 42 to detect WINS replications
  • The WINS Server services listen on UDP port 137 for incoming NetBIOS name resolution requests (to detect client computers/servers using WINS)

Very good article: http://techgenix.com/wins-still-needed/

Impact and changes:

  • Change DHCP scopes (removing option 44 on scopes)
  • Change local TCP/IP properties on all computers, servers to remove Wins servers
  • The default behavior of DFS is to use NetBIOS names for all target servers in the namespace:

https://saltwetbytes.wordpress.com/2007/08/30/windows-dfs-without-wins/

My personal recommendations:

WINS is not deprecated in 2012 R2 and in 2016 neither:

(https://docs.microsoft.com/en-us/windows-server/get-started/deprecated-features)

If you are configuring a new company from scratch try to not install WINS, else for an existing company with Windows applications and computers (100% in reality!), I would say that WINS is not necessary, but it is recommended. It is easy to install and to maintain. It is a faster to resolve and robust. Administration tasks are close to zero!

Advertisements

Reference article: https://blogs.technet.microsoft.com/office_resource_kit/2014/01/21/managing-updates-for-office-365-proplus-part-1/

Extracts:

Q1. Well…how do automatic updates work? Can I control them?

A1.  A default install of Office 365 ProPlus is configured to update automatically from the cloud.  Separately, each month a new build of Office 365 ProPlus is released in the cloud.  When a computer with Office 365 ProPlus detects that a new build is available, the difference – or delta – between the new build and the existing one is streamed down in the background.  Updates are then installed when Office apps/processes aren’t running. So, with the default configuration Office 365 ProPlus, you will always be up-to-date. IT Pros can customize the configuration by controlling if updates are searched and applied automatically and/or from which source this will happen.  (More on this in Managing Updates for Office 365 ProPlus – Part 2.)

 …

Q4. I use WSUS and/or System Center Configuration Manager to manage Office updates today.  Can I continue to use these products to update Office 365 ProPlus?

A4.  Automatic updates is a servicing model built into Office 365 ProPlus, and provides the ability to be always up to date, or “evergreen”, with security and functionality enhancements.  Office 365 ProPlus updates are not provided via Windows Update.  Some environments may prefer to use their existing software distribution tool to manage updates for Office 365 ProPlus, and this can be facilitated using the Office Deployment Tool.  Check out the References section below for more information.

….

How to use ODT for O365?

https://support.office.com/en-us/article/Overview-of-the-Office-2016-Deployment-Tool-bb5b62d9-1168-47e9-9d54-15a958acfcca?ui=en-US&rs=en-US&ad=US

Choisir une appliance de securite UTM ?

Comment choisir son appliance de securite UTM ‘unified threat management’ ?

UTM? https://fr.wikipedia.org/wiki/Unified_threat_management

D’abord comprendre ses besoins (NextGen FW, proxy,VPN?, AV?, …)

Critères de selection:

   http://www.lemagit.fr/conseil/Six-criteres-pour-choisir-une-appliance-UTM

   http://www.lemagit.fr/conseil/UTM-vs-NGFW-de-vraies-differences

ex: https://www.watchguard.com/wgrd-products/tabletop/firebox-t30-t50

Some products:

checkpoint : http://www.checkfirewalls.com/CheckPoint-Small-Medium-Enterprise.asp

arkoon stormshield : https://www.stormshield.com/fr/produits-et-services/produits/protection-des-reseaux/

fortinet fortigate : https://www.fortinet.com/solutions/small-business/small-business-security.html

dell sonicwall : https://www.sonicwall.com/fr-fr/products/firewalls/mid-range

sophos : https://www.sophos.com/fr-fr/lp/utm-updates.aspx

paloalto ( more for NGFW) : https://www.paloaltonetworks.com/products

watchguard firebox :

https://www.watchguard.com/fr/wgrd-resource-center/help-me-choose

https://www.watchguard.com/wgrd-products/appliances-compare/216/3592/3593

Forum: https://www.reddit.com/r/networking/comments/6yi2t3/watchguard_firebox_t30_feedbackquestions/

Main question is: How do I know if I have been hacked?

Detecting lateral movement using event logs: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html

Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

http://blog.crowdstrike.com/sysmon-2/

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

additional resources on this blog: http://wp.me/p15Zft-od

and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links

The first step is to scan your computer with a Rootkit detector. Our download section has numerous Rootkit scanners available with some being listed below:

Toolkit to help you:

– Volatility: http://www.volatilityfoundation.org/

– Crowdstrike: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

– Powershell windows forensics: https://github.com/gfoss/PSRecon

-Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

– forensic toolkits: http://www.sleuthkit.org/, http://sourceforge.net/projects/autopsy/

– online scanning: http://www.virustotal.com

-Windows event logs

– Windows safe mode ! (autoruns from sysinternals to detect not well known application/services)

– autoruns,procexp,procmon,tcpview,handles,psloggedon  (http://www.microsoft.com/sysinternals)

– treesize pro (http://www.jam-software.com/treesize/)

– closethedoor (http://sourceforge.net/projects/closethedoor/)

– Wireshark (https://www.wireshark.org/download.html) or Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=40308)

– nmap: http://nmap.org/download.html#windows

– traceroute: http://www.net.princeton.edu/traceroute.html

AD protected users group:

https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users

Based on my 22 years experience as sysadmin, I recommend you the free tools for forensic analysis and systems assessment:

https://blogs.microsoft.com/microsoftsecure/

http://adsecurity.org

http://www.thehackernews.com

Tools:

Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2

Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

Powershell windows forensics: https://github.com/gfoss/PSRecon

Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

Timeline Tools

RegRipper

FTK Imager

Volatility: http://www.volatilityfoundation.org/

http://www.crowdstrike.com/community-tools/index.html

McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

http://www.truesec.com/tools/

http://www.joeware.net

http://helgeklein.com/setacl/

http://www.microsoft.com/sysinternals

http://www.systemtools.com

http://www.netikus.net

http://www.insecure.org  and http://sectools.org

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

Windows forensics:

Detecting lateral movement: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html

Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2

Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

Powershell windows forensics: https://github.com/gfoss/PSRecon

Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

Ref: http://windowsir.blogspot.fr/

Situation
The situation was pretty straight-forward; a system (Win7SP1) had been identified as having been infected with malware at one point.  What had been determined from the initial analysis that had been conducted was that the system have been infected in Sept, 2014.  As it turned out, the malware in question had been deleted by an AV scan around mid-Aug, 2015, and the image had been acquired near the end of Sept, 2015.  Two user profiles had been identified as having been involved in the initial infection.

Goals
The goal of this analysis was pretty simple.  Essentially, the initial analysis work had already been done, and a report had been delivered to the client. My objective for this analysis was to gain greater insight into the infection process, and to see if I could develop threat intelligence from anything else that I found.

Tools
I performed all of my work using free and open-source tools.

I conducted my analysis using Notepad++.

Timeline
I created a timeline of system activity using:

  • File system metadata
  • Selected Windows Event Logs
  • Registry hives (Software, System, Security)
  • NTUSER.DAT and USRCLASS.DAT from the two profiles of interest
  • User WebCacheV01.DAT IE browser history files

The process I used to create my timeline is pretty much exactly what’s listed in Windows Forensic Analysis 4/e, in ch. 7.  The process took only a couple of minutes to put together a timeline and begin analyzing it.  From the time I opened the image in FTK Imager, I had a timeline in less than 30 min. Also, something I really like about it is that the process can be used in such a manner that only those files required are sent to another analyst to construct a timeline.

The system did have Prefetch files but given the time frame, there were no files of interest in the Prefetch folder.

Once I created the timeline, I was able to easily add context to what I was looking at using other tools.  For example, I parsed the user’s WebCacheV01.dat files initially using esedbexport.exe, and then using ESEDatabaseView.  An important take-away from this is data interpretation…entries have several time stamps associated with each visited URL, and the incorrect identification and interpretation of those time stamps can significantly impact your findings.  For example, the visited URL has an expiry date time stamp; assuming that this is when the site was last accessed can have a significant (and perhaps detrimental) impact on your overall analysis.

I took a look at IE session recovery files using the Structured Storage Viewer; I got what I needed out of the particular streams of interest, and added notes to my timeline.

Mapping the user’s TypedURLs values with the TypedURLsTime values was pretty fascinating, although all it really did was support findings that didn’t pertain directly to the malware.  Still…it was pretty cool.

User shellbags proved to be very illuminating, and the UserAssist information added additional context to what I was seeing.  In the case of one user profile, the combination of those two artifacts illustrated intentional, purposeful activity…the user navigated to a specific subfolder, and double-clicked a specific .exe file, launching it.  File system and Registry events following this activity indicated the execution of the application.

Hibernation File
It turned out that the system was a laptop, and had a hibernation file.  I extracted the file, and used Volatility 2.5 to convert it to raw format.  The “imageinfo” command told me that the hibernation file had been created on 13 Sept 2015,  a bit before the image was acquired.  I didn’t expect to find anything of value from the memory image, but I ran a couple of commands (pslist, psxview) anyway.  Doing so essentially validated my suspicions, but better to do it than not.  Besides, I wasn’t stopping my other analysis…the command prompt where I ran the commands simply went to the background, and I examined the output files when the commands completed.

The previous analysis had indicated that strings/IOCs associated with the malware had been found in the hibernation file.  I used strings.exe, and then the Volatility ‘strings’ command, and found that those strings were in free space.

Working with VSCs
A quick check of the image indicated that there were volume shadow copies (VSCs) available, which was great.  Most corporate systems I’ve dealt with for the past couple of years have had VSCs disabled for some reason, and here was one that didn’t.  I ran vhdtool.exe to “convert” the image, which essentially added a footer to the file.  As my analysis system is Windows 10, I renamed the file to have the “.vhd” file extension.  I opened the Disk Management utility and attached the newly-created VHD, and used the following command to list the available VSCs:

vssadmin list shadows /for=g:

Interestingly, I basically followed the process laid out in this blog post.  The output of the vssadmin command showed me that there was a VSC that had been created on 13 Jul 2015, which was about a month prior to the malware being detected and quarantined by AV.  I linked the VSC to a folder on my analysis system, and added the contents of the folder to FTK Imager; however, this didn’t give me the level of access I wanted, as I wanted to get, among other things, a copy of the $MFT from the VSC.

That’s where Jimmy’s blog post on mounting shadow volumes can into play.  Using vss.exe, I added the VSC in question to my analysis system as X:\, which appeared as a RAM image.  I then added the logical volume to FTK Imager, and was able to extract the $MFT, as well as other files.   By creating a timeline using files extracted from the VSC, I was able to create a bit more context around the

Conclusion
Creating the timeline in the manner that I did allowed me to get started on my analysis in fairly short order, identify what needed a closer look, and then add context and notes to the timeline.  I didn’t have to wait for an automated tool to complete, and then trudge through a lot of data that didn’t pertain to what I was trying to determine.  I admit, I had a bit of a leg up because of the initial analysis that had been conducted, but the process I used would have led me to the initial indicators pretty quickly.  Specifically, the use of eventmap.txt in parsing Windows Event Logs allows for a number of event records to be auto-tagged, and then easily searched for in the timeline.  Searching the timeline for the “[MalDetect]” tag would’ve taken me to the “Symantec Endpoint Protection Client” event ID 51 record that identified what would be my initial pivot point.

As it turns out, there were a number of “Symantec Endpoint Protection Client/51” events in the timeline, so an easy fix to that would have been to do something like this:

type events.txt | find “[MalDetect]” > av_events.txt

The above command runs through the events file and locates all malware detection events, putting them into a separate file.  From there, I could have run:

parse -f av_events.txt > av_tln.txt

This would give me a nano-timeline of just AV detection events, giving me a much smaller set of data to analyze, and on which I could pivot.  This would also pick up all malware detection events, for any such events mapped in the eventmap.txt file.

Accessing the shadow volume allowed me to collect copies of files that were not otherwise accessible, as well as get a look at the state of the system prior to the malware being removed.  In this case, the malware employed two persistence mechanisms, which meant that two copies of the malware existed on the system.  My initial timeline provided an indication of this, as immediately prior to the AV writing it’s detection and quarantine message to the Windows Event Log, there were changes to two locations within the file system, and to one Registry key.  Accessing the shadow volume from a time when the malware existed on the system allowed me to confirm what I had suspected.  It only took a few minutes, and to be honest, it was worth time to close the loop on the speculation.

I should note that I exported the hibernation file from the shadow volume, but once I converted it to raw format, the “imageinfo” command showed me that it had the same “image date and time” as the one from the image.  Running “pslist” and “psxview” gave me the exact same information as running those commands on the original hibernation file.  I need to look into this more, but it seems that the hibernation file is not tracked in shadow volumes, although the $MFT is.

Office 365 and GDPR

Free tools for Windows sysadmins:

– Registry editor and comparison, replace: regedt33.exe: https://sourceforge.net/projects/regedt33/

– AD security: adsecurity.org  ; http://www.dsinternals.com ; http://www.pingcastle.com

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics  and  https://github.com/gfoss/PSRecon and https://github.com/davehull/Kans

– Memory forensics: http://www.volatilityfoundation.org/

– Crowdstrike free tools: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Trousse de secours Windows sur cle USB: http://wp.me/p15Zft-wU

– Net tools and forensic tools for windows : http://www.nirsoft.net/utils/ipnetinfo.html
– System and performance: CCleaner,recuva,defragler,speccy from pirisoft: https://www.piriform.com/products
– Windows 8 or Server  2012 start menu (GUI): http://www.classicshell.net/
– New Microsoft network monitor called MESSAGE ANALYZER (GUI): http://www.microsoft.com/en-us/download/details.aspx?id=40308
– ESET Sysinspector: http://www.eset.com/us/download/utilities/ (is a convenient utility for the tool box of every IT expert and first responder)
– Qualys browsercheck: https://browsercheck.qualys.com/  (check internet browser vulnerabilities)
– Secunia personal inspector: http://secunia.com/vulnerability_scanning/personal/download_psi/ (scanner application’s vulnerabilities)
– TrueCrypt. Is disk encryption software: http://www.truecrypt.org/
– Keepass. To remember passwords: http://keepass.info/
– Putty, FileZilla, WinSCP, XMing (free Xserver), MobaXterm (free Xserver and SSH): Unix tools for Windows
– Remote Desktop managers: mRemoteNG, Remote Desktop manager
– Ophcrack is a free Windows password cracker based on rainbow tables: http://ophcrack.sourceforge.net/
– Anti-malware free Malwarebytes (GUI): http://www.malwarebytes.org/
– Inventory tool that performs hardware scanning, software scanning, and Active Directory (AD) reporting (GUI):  www.lansweeper.com
– DNSdataview (GUI): www.nirsoft.net/utils/dns_records_viewer.html
– WinDirStat (GUI): http://windirstat.info
– Archiving and compression 7-zip  (GUI): www.7-zip.com
– Compare content files: ExamDiff  (GUI):  www.prestosoft.com/edp_examdiff.asp
– File Recovery (GUI): PC inspector File recovery   and    easeUS data recovery
– System Information for Windows and benchmarks (Gathers detailed information about a computer’s system properties, settings, and displays, benchmarks):
        – SIW  (GUI)
        – AIDA  (GUI)
        – Everest  (GUI):
– HDTune: GUI – simple disk IO utility
– Unlock DLL: GUI to unlock DLLs in use (c.f unlocker utility on internet)
– AD queries builder with powershell and powershell editor  (GUI): http://www.powergui.org
– AD reports and ldap builder (GUI): http://www.maxpowersoft.com/
– AD change reporter (GUI): www.tinyurl.com/cph99tu
– AD object restore wizard (GUI): www.tinyurl.com/kv83sh9
– Inactive users tracker (GUI): www.tinyurl.com/xv83dsf
– Netmork Monitoring (GUI): http://www.spiceworks.com/, or quest scriptlogic free utility called sl360
– Disk space monitor (GUI): www.tinyurl.com/zksfuw
– Bulk password reset (GUI): www.tinyurl.com/cxc3t4d
– Windows service monitor (GUI): www.tinyurl.com/dakjw32
– Vmware change reporter (GUI): www.tinyurl.com/dsdz44
– File server change reporter (GUI): www.tinyurl.com/bhd3k2b
– Password expiration notifier (GUI): www.tinyurl.com/kbwu34z
– USB blocker (GUI): www.tinyurl.com/awqc4p3
– Free disk analysis tool (Gui): www.northern-utilities.com  ; Find out how much of your storage capacity is being wasted on unwanted files
– Netbook Hardware control (GUI): www.pbus-167.com
– Sysinternal Tools (CMD/GUI): www.microsoft.com/sysinternals
 – www.joeware.net (CMD)
www.netikus.com (CMD/GUI)
www.solarwinds.com
– OpenSSH (Gui, Cmd: www.openssh.com )
– OpenVPN (GUI, Cmd: http://openvpn.net )
– Microsoft Security Essentials: Antivirus/Anti-malware free: www.microsoft.com/security_essentials
– Microsoft Resource Kits
– ClamAV: Antivirus
– AVast: Antivirus
– Free download manager: IE download manager
– Daemontools or Virtual Clone Drive (GUI)
– Tree size free: Directory or disk usage and statistics (GUI): http://www.jam-software.com/freeware/
– CDex: transform CD in MP3… (GUI)
– Desktop Restore. Records the position of desktop icons and restores desktop layouts.
– InfraRecorder. Burns ISO images and creates data and audio CDs and DVDs: http://infrarecorder.org/
– Notepad++. Is a text and code editor.
– NTFS Undelete. Recovers deleted files that are no longer in the recycle bin.
– Paint.NET. Manipulates images.
– PING. Makes a sector-based image copy of a disk partition.
-Windows Preinstallation Environment (WinPE). Lets you make a Windows command-line boot recovery DVD.
– XML Notepad. Is a specialized XML editor.
– ZoomIt. Magnifies portions of a screen and lets you draw on and annotate the screen (c.f www.microsoft.com/sysinternals).
– BareTail. Monitors log files in real time.
– Wireshark. Is a protocol analyzer: http://www.wireshark.org
– FileZilla. Is a GUI FTP client.
– Winscp. Is a GUI sftp client.
– Ngrep. Is a packet sniffer based on finding matching text strings.
– NeWT. Is a vulnerability scanner. (If you’re interested in obtaining this software after reading about it, go to http://cgi.tenablesecurity.com/tenable/requestForm.php.)
– OpenSSH. Creates secure, encrypted shell sessions.
– WinDump. Is a command-line packet sniffer. (If you’re interested in obtaining this software after reading about it, go to http://www.winpcap.org/windump/default.htm.)
– Winfingerprint. Is a network scanner.
– LocatePC. Emails you whenever any private or public IP address in your system changes.
– Open Computers and Software Inventory (OCS Inventory NG). Provides detailed inventory data for an entire network of computers as well as deploys packages. (If you’re interested in obtaining this software after reading about it, go to http://sourceforge.net/projects/ocsinventory.)
– PRTG Traffic Grapher. Is a network monitor.
– SyncBack. Backs up or synchronizes files to another location: http://www.2brightsparks.com/freeware/freeware-hub.html
– Wink. Builds screencast recordings. (The write-up for this tool isn’t in the main article but rather its sidebar “Screencasting with Wink”. If you’re interested in obtaining this software after reading about it, go to http://www.debugmode.com/wink.)
– CamStudio. Builds screencast recordings.
– CDBurnerXP. Burns CD-ROMs, DVDs, audio CDs, and ISO images.
– Comodo Firewall Pro. Is a firewall and antivirus application.
– DriveImage XML. Is a program for imaging and backing up partitions and logical drives.
– GParted LiveCD. Manages partitions on systems. (You can also find information about GParted in “Tool Time: Repartition Windows Servers with GParted”.)
– PageDefrag. Determines how fragmented your paging files and registry hives are, and defragments them (c.f www.microsoft.com/sysinternals)
– JkDefrag. Defragments and optimizes disks.
– TestDisk. Recovers damaged partitions, makes non-bootable disks bootable again, and repairs damaged boot sectors.

Free Virtualization tools:

– Free Tools for hyperV: http://social.technet.microsoft.com/wiki/contents/articles/2325.hyper-v-top-free-programs.aspx

-If you work with virtual machines (VMs), check out the following 29 tools:
“Virtualization on the Cheap”
1. Catbird Compliance Enforcer. Analyzes existing virtual infrastructures, then highlights rogue VMs, quarantines suspect VMs, and generates compliance and security reports.
2. Citrix XenServer. Is a virtualization platform.
3. ConfigCheck. Evaluates an ESX Server installation to see whether it’s configured properly and in accordance with VMware’s best practices, particularly with regard to security guidelines.
4. EasyVMX. Lets you create web-based VMs.
5. Hyper-V. Is a virtualization platform.
6. Microsoft Assessment and Planning Toolkit. Searches out computers in a network, then generates a detailed inventory using Windows Management Instrumentation (WMI), SNMP, or Remote Registry Service.
7. Microsoft Virtual PC 2007. Is a virtualization platform.
8. OpsCheck. Troubleshoots configuration problems that might cause VMware VMotion to encounter problems.
9. PlateSpin Recon Inventory Edition. Profiles and analyzes data centers, then gathers information about traffic, workload, asset inventory, and application services.
10. Veeam Monitor Free Edition. Monitors VMware ESX and ESXi environments in real-time.
11. Virtual Iron Single Server Edition. Is a virtualization platform.
12. VirtualBox. Is a virtualization platform.
13. Vizioncore vOptimizer FreeWare. Squeezes Microsoft and VMware VMs into more manageable sizes.
14. VMware ESXi. Is a virtualization platform.
15. VMware Player. Loads and run VMs created by other virtualization products.
16. V-Scout. Aggregates and organizes information from up to two VMware VirtualCenter installations.
“More Free Virtualization Tools”
17. PHD Virtual.com website. Offers several free VMware utilities (e.g., VMNetBac, SnapHunter).
18. VM Explorer (VMX). Powers VMs on or off as well as backs up and restores VMs.
19. Xtravirt.com website. Offers several free virtualization utilities (e.g., GetVMwareDocs, Visio Action Pack).
“Free Virtualization Utilities”
20. ISO Recorder. Creates and burns ISO images.
21. Ultimate-P2V. Converts physical systems to VMs.
22. VHD Resizer. Expands and shrinks .vhd files.
23. VHDMount. Mounts a .vhd file as a local drive.
24. Virtual Floppy Drive. Mounts a virtual floppy drive from a VM.
25. Virtual Machine Remote Control Client Plus (VMRCplus). Manages, configures, and connects to Microsoft VMs.
26. VMDK to VHD Converter. Converts VMware images to Microsoft images.
27. VMmark. Benchmarks applications running in VMware VMs.
28. VMware Converter. Converts physical machines or Microsoft VMs to VMware VMs.
29. VMware Workstation 5.5 Disk Mount Utility. Mounts a VMware.vhd file on a Windows host.
Note that you can find more information about Hyper-V, VMware ESXi, and Citrix XenServer in “Free Hypervisors Extend Your IT Resources”.

Free Scripting tools:

No matter whether you write scripts or not, you’ll likely find many of the 14 tecommendations in “Script Writers’ Favorite Free Utilities” helpful:
1. Blat. A command-line utility that uses SMTP to send email or uses Network News Transfer Protocol (NNTP) to post to Usenet.
2. AutoIt v3 and SciTE Is a scripting language (AutoIt) and editor (SciTE).
3. CodeKeep Add-In. Is a code snippet manager for Visual Studio (VS).
4. DumpSec. Is a Windows security auditing program.
5. Joeware website. Offers many command-line utilities to automate AD tasks (e.g., AdQueueLoop, Unlock) and other tasks (e.g., DNSSrvRec, SidToName).
6. MD5WIN. Computes and compares Message-Digest algorithm 5 (MD5) digest strings.
7. NirSoft website. Offers numerous utilities for monitoring networks, managing passwords, retrieving Internet-related data, and performing other system-management tasks.
8. Notepad++. Is a text and code editor.
9. PSPad. Is a text and code editor.
10. Python. Is a programming/scripting language that you can use to automate tasks.
11. Regular Expression Laboratory. Lets you create regular expressions and test them against arbitrary text.
12. VIM. Is a text and code editor.
13. WinZip Command Line Support Add-On. Lets you use WinZip directly from the command line and from scripts.
14. Powershell editor and Gui powershell code builder: http://www.powergui.org
check also the powerpacks (like plug-ins for powergui, to manage other windows applications).

Free tools for Sharepoint:

Freebies that might be of interest to SharePoint administrators include the following:
“SharePoint Freebies Someone You Might Know Might Want”
1. Document Connection for Mac. Aids in accessing and browsing Mac documents in SharePoint.
2. Free Technology for Microsoft SharePoint User Groups. Is a program to provide free add-ons and other products to community-organized SharePoint user groups.
3. Persian Language Pack for Windows SharePoint Services (WSS) 3.0.
“More SharePoint Freebies Someone You Might Know Might Want”
4. Discovery Wizard for SharePoint. Gathers SharePoint inventory data and displays it in HTML reports.
5. DocAve SQL Restore Controller. Provides item-level, site-level, and site collection-level restores from active SQL Server databases and from SQL Server backups.
6. Idera SharePoint performance monitor. Monitors SharePoint performance counters and sends email alerts when problems arise.
“Free SharePoint Archiving Tool Aims to Cut Bloat”
7. Metalogix Archiving Express for SharePoint. Archives SharePoint content.

Free tools for Exchange:

Some helpful freebies when working with Microsoft Exchange include:
“Top 10 Exchange Server 2007 Troubleshooting Tools”
1. Database Recovery Management Tool. Analyzes a database store and specifies the steps needed to mount it.
2. Database Troubleshooter. Analyzes database and transaction logs and their entries and reports on problems that might prevent you from recovering the database.
3. Dcdiag. Analyzes the state of domain controllers in a forest or enterprise and reports any problems.
4. Event Viewer. Lets you view Exchange-related events.
5. Mail Flow Troubleshooter. Identifies and repairs mail flow holdups.
6. Message Tracking. Reveals a message’s path through the Exchange Server organization when messages get lost in mail flow transit.
7. Nslookup. Helps troubleshoot DNS problems.
8. Performance Monitor. Analyzes counters associated with various aspects of system performance to see whether those counters fall within a designated range.
9. Performance Troubleshooter. Analyzes three RPC performance problems.
10. Queue Viewer. Lets you view and interact with mail flow queues.
“Two Exchange Server Tools You Should Know About”
11. Performance Analysis of Logs (PAL). Analyzes a performance monitor counter log analyzes and puts its findings in an HTML report.
12. ‘Rough and Tough’ Guide to Identifying Patterns in Transaction Logs. Provides a set of tools and associated processes for figuring out what’s happening on an Exchange server given a set of transaction log files.

Free tools for SQL Server:

If your IT duties include working with SQL Server, check out “The Mega Guide to Free SQL Server Tools”. This guide includes 80 tools, so the list is too long to print here. You can find out what those tools are at http://www.sqlmag.com/Articles/ArticleID/102244/102244.html.
At SQL Server Magazine, we’re all about helping DBAs and developers do their jobs faster and more efficiently—especially now, when they’re being expected to do more with less staff and funding. That’s why, when we realized just how many free SQL Server tools are available, we decided to bring them to your attention. You might recognize some of these tools from Kevin Kline’s Tool Time or Michael Otey’s Back Page, and many of these tools can be found on Microsoft’s CodePlex website. These tools were created by in-the-trenches DBAs and developers, as well as third-party SQL Server product vendors, to solve specific SQL Server problems or to fill holes in SQL Server’s functionality. There are so many free SQL Server tools that we couldn’t test them all, so be sure to test them yourself before running them in production.
Administration
• Data Scripter Add-in for Management Studio—This add-in lets you script data for SQL Server tables through SQL Server Management Studio (SSMS) (sqlblogcasts.com/blogs/seanprice/archive/2007/08/28/data-scripter-add-in-for-management-studio.aspx)
• Iometer—This tool measures and characterizes I/O subsystems in single and clustered servers (www.iometer.org)
• Microsoft SQL Server 2005 Upgrade Advisor—This tool analyzes your SQL Server 2000 and SQL Server 7.0 instances to find features and configuration changes that could affect an upgrade to SQL Server 2005 (www.microsoft.com/downloads/details.aspx?FamilyID=1470e86b-7e05-4322-a677-95ab44f12d75)
• mRemote—You can use this tool (which supports both RDP and VNC) to manage your remote server connections from a central GUI (www.mremote.org/wiki)
• MSSQL Blocks—This tool collects information from multiple SQL Server 2005 and 2000 instances about locked or blocked processes and stores this information in XML files for later analysis (sqlblocks.narod.ru)
• Orphan Finder—You can use Orphan Finder to find records in your SQL Server 2005 databases in which there are values in a foreign key column that aren’t in the parent table (http://www.spi.hr/EnglishaboutLC/tabid/470/Default.aspx)
• Partition Management—This tool uses the Sliding Window technique to remove data from one partition and place it into a staging table, and creates a staging table that’s used to load data into partitions (www.codeplex.com/SQLPartitionMgmt)
• Quest Software’s Toad for SQL Server Freeware—Toad for SQL Server Freeware offers a code and data editor, a data grid for modifying tables, and a database browser that lets you view and manage database objects graphically (www.toadsoft.com/toadsqlserver/toad_sqlserver.htm)
• SortSQLFilesInProject—You can use this tool to sort the SQL files contained in an SSMS project or the packages in a SQL Server Integration Services (SSIS) project (www.sqldbatips.com/showarticle.asp?ID=78)
• SQLDBSize 1.0—This tool graphically displays size information about your databases, tables, indexes, and more (www.sqldbtools.com/Tools.aspx?ProductId=3)
• SQL Management Studio Snapshot Add-In—This utility adds the Create Snapshot option to context menus in SSMS, enabling you to create a database snapshot (sqlblogcasts.com/blogs/seanprice/archive/2007/07/15/sql-management-studio-snapshot-add-in.aspx)
• SQLRecon—SQLRecon finds all of your SQL Server and Microsoft SQL Server Desktop Engine (MSDE) systems by performing active and passive scans on your network (www.specialopssecurity.com/labs/sqlrecon)
• SQL Server 2008 Extended Events Manager—This tool lets you create, delete, modify, start, and stop Extended Events sessions and metadata files in SQL Server 2008 (www.codeplex.com/ExtendedEventManager)
• SQL Server Automation Scripts—This tool provides SQL Server Agent jobs that you can use to perform automated maintenance tasks (download.microsoft.com/download/4/0/C/40CBAD9A-D990-450B-8785-F288CEBFB448/AITScripts.zip)
• SQL Server Database Copy Tool—With this utility, you can copy databases from one SQL Server system to another (dbcopytool.codeplex.com)
• SQL Server Express Utility—You can use this command-line utility to perform various SQL Server maintenance tasks (www.microsoft.com/downloads/details.aspx?FamilyID=fa87e828-173f-472e-a85c-27ed01cf6b02)
• SQL Server Health and History Tool (SQLH2) Performance Collector—This tool collects performance counter data from your SQL Server systems and stores it in a repository (www.microsoft.com/downloads/details.aspx?familyid=64983AF0-7902-427E-9B41-7C2E8FDCC140)
• SQL Server Health and History Tool (SQLH2) Reports—Prevent performance problems by using this tool to collect and store change and trending information (www.microsoft.com/downloads/details.aspx?familyid=A4B837C7-A1FA-4F25-840B-FEF15E917F18)
• YourSQLDba—You can use this T-SQL stored procedure to automate routine database maintenance tasks such as database and log backups and consistency checks (www.grics.qc.ca/YourSqlDba)
Backup and Recovery
• Idera’s SQL safe Freeware Edition—This utility lets you back up and compress multiple databases of any size and offers a scriptable interface (www.idera.com/Products/Free-Tools/SQL-safe-Freeware-Edition)
• AppAssure’s DocRetreiver Lite—This free tool lets you restore individual documents back to a SharePoint farm from a SQL Server backup (www.appassure.com/applications/free-tools/docretriever-lite-for-sharepoint/)
Best Practice and Compliance
• Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0—You can use this tool to verify whether your SQL Server 2000 systems are managed and operated according to Microsoft’s SQL Server best practices (www.microsoft.com/downloads/details.aspx?FamilyID=b352eb1f-d3ca-44ee-893e-9e07339c1f22)
• Microsoft SQL Server 2005 Assessment Configuration Pack for Sarbanes-Oxley Act (SOX)—This configuration pack audits SQL Server systems to see if they meet the SOX configuration requirements (www.microsoft.com/downloads/details.aspx?familyid=976df931-a3cf-40e3-802e-3281b1451835)
• SQL Server 2005 Best Practices Analyzer—This utility checks your databases for potential problems by using SQL Server 2005 best practices configurations (www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63)
• SQL Server FineBuild—FineBuild lets you install SQL Server 2008 and 2005 with one click, and provides best practice configurations as well (www.codeplex.com/SQLServerFineBuild)

Free tools for business intelligence and DB admins:

 • BIDS Helper—This Visual Studio .NET add-in enhances SQL Server 2008 and 2005’s Business Intelligence Development Studio (BIDS) (www.codeplex.com/bidshelper)
• DTLoggedExec—With DTLoggedExec, each step executed by SSIS packages is logged, which makes configuring and troubleshooting SSIS packages fast and easy (dtloggedexec.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=21219)
• Microsoft SQL Server 2005 Data Mining Add-ins for Microsoft Office 2007—These add-ins let you use SQL Server 2005’s predictive analysis features in Microsoft Excel 2007 and Microsoft Visio 2007 (www.microsoft.com/downloads/details.aspx?FamilyID=7c76e8df-8674-4c3b-a99b-55b17f3c4c51)
• Microsoft SQL Server Metadata-Driven ETL Management Studio (MDDE)—You can use MDDE to quickly generate SSIS packages (sqlservermddestudio.codeplex.com)
• Reporting Services Scripter—This .NET Windows Forms application offers the ability to easily move SQL Server Reporting Services (SSRS) reports and catalog item properties between multiple servers (www.sqldbatips.com/showarticle.asp?ID=62)
• RSBuild—You can use this SSRS deployment tool to execute database scripts with ADO.NET and publish reports and data sources to SSRS (rsbuild.codeplex.com)
• SQL Nexus—This front-end visualization tool is used to load and analyze performance data that was collected by SQLDiag and PSSDiag (www.codeplex.com/sqlnexus)
Change Management
• SQLDBSearch 2.0—With SQLDBSearch 2.0, you can find objects that could be affected by a soon-to-be implemented database change (www.sqldbtools.com/Tools.aspx?ProductId=2)
• Tarantino Database Change Management—This utility makes it easier to apply database schema and database changes to multiple SQL Server systems (code.google.com/p/tarantino/wiki/DatabaseChangeManagement)
Code Formatters
• ApexSQL Refactor—This SQL Server Management Studio add-in offers 43 customizable options for formatting your SQL code and lets you preview your changes before you save them (www.apexsql.com/sql_tools_refactor.asp)
• Instant SQL Formatter—This tool not only reformats your SQL code but also turns your formatted SQL code into HTML code and translates your SQL code into other coding languages such as C# and Java (www.wangz.net/gsqlparser/sqlpp/sqlformat.htm)
• Manoli C# Code Format—You can use this tool to format code to the HTML 4.01 specification for a website or blog (www.manoli.net/csharpformat)
• Simple-Talk Code Prettifier—This tool converts your ASCII source code into HTML code so that you can paste it into an online element such as a blog or website (www.simple-talk.com/prettifier/default.php)
• SQLinForm—With this SQL code formatter, SQL statements aren’t transferred over the Internet and there’s nothing to install (www.sqlinform.com)
Database Comparison
• CompareData—This utility uses ODBC drivers to compare and synchronize data between two SQL Server databases (www.zidsoft.com)
 • Open DBDiff—This database schema comparison tool provides you with a report showing the differences between two database schemas and includes a synchronization script that you can use to update the databases (www.codeplex.com/OpenDBiff)
• SQL Accord Community Edition for Microsoft SQL Server—This tool offers schema comparison features via an interactive GUI (www.sqleffects.com/Articles/Product/sqlAccordInfo/aboutSqlAccordCommunityEd.html)
• SQLDBDiff—You can use this tool to compare and synchronize SQL Server 2005 and 2000 database schemas (www.sqldbtools.com)
• TableDiff.exe GUI—With TableDiff.exe GUI, you no longer have to run the TableDiff.exe table comparison tool (found in SQL Server 2005) from the command line (weblogs.sqlteam.com/mladenp/archive/2007/08/10/60279.aspx)
Database Security
• Devenius SQL Encryption Assistant Basic Edition—You can use this SQL Server Management Studio add-in to manage your encryption keys (www.devenius.com/sql_server_tools/sql_encryption_assistant/SEA.aspx)
• Idera’s SQL permissions—You can use this tool to move or copy SQL Server login information and permissions setting between servers (www.idera.com/Products/Free-Tools/SQL-permissions)
• Lockdown.sql—Your SQL Server systems are locked down to the most secure configuration, letting you deploy systems that have only required functionality enabled (www.sqlsecurity.com/Tools/LockdownScript/tabid/64/Default.aspx)
• Microsoft Baseline Security Analyzer 2.1—This tool performs vulnerability assessment checks on your SQL Server systems to verify their security (technet.microsoft.com/en-us/security/cc184923.aspx)
• SQLPing 3.0—SQLPing scans your network to find new and unprotected SQL Server and MSDE instances (www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx)
Development
• DbFit—You can use DbFit to run Framework for Integrated Testing (FIT) tests directly against databases, making it easier to perform integration testing on databases (www.fitnesse.info/dbfit)
• ScriptDB—This application scripts database objects using SQL Server Management Objects (SMO) (www.codeplex.com/ScriptDB)
• SpatialViewer—This utility lets you view spatial data easily (www.codeplex.com/SpatialViewer)
• SQL Server PowerShell Extensions (SQLPSX)—This tool helps make working with SMO from PowerShell easier by offering PowerShell functions around SMO objects (sqlpsx.codeplex.com)
• SQL Spatial Tools—SQL Spatial Tools includes two tools: Shape2SQL, which you use to upload ESRI files to SQL Server Spatial, and SQLSpatial Query Tool, which queries SQL Server 2008 and displays the geometry output via a Windows Presentation Foundation map (www.sharpgis.net/page/SQL-Server-2008-Spatial-Tools.aspx)
• SQLCLRProject—With SQLCLRProject, you can use MSBUILD tasks to deploy .NET assemblies to SQL Server 2008 and 2005 (www.codeplex.com/sqlclrproject)
• SQLIO Disk Subsystem Benchmark Tool—With this tool, you could find out what the I/O capacity of a SQL Server configuration is (www.microsoft.com/downloads/details.aspx?familyid=9a8b005b-84e4-4f24-8d65-cb53442d9e19)
• SQLScripter—This command-line utility automates schema generation and scripts SQL Server 2005 databases (www.valinor.co.il/tools-sqlscripter.asp)
• SQLsharp—This free tool offers a CLR library of useful functions that you can use to write better SQL code in SQL Server 2008/2005 (www.sqlsharp.com)
• SSMS Tools Pack—This suite of tools enhances SSMS’s functionality with features such as a query template tool and a CRUD procedure-generation tool (www.ssmstoolspack.com)
• Stored Procedure Generator—This tool generates the stored procedures necessary to access tables in SQL Server (spgen.codeplex.com)
• tsqlt—As a unit testing framework for T-SQL, tsqlt helps isolate functionality to be tested (sourceforge.net/projects/tsqlt)

Free tools for DB job management or sysadmin performance monitoring:

Stress test tool, Heavy Load free tool from JAM software: https://www.jam-software.de

• Idera’s SQL job manager—With SQL job manager, you can view and manage SQL Server Agent jobs across multiple SQL Server systems from a central administration console (www.idera.com/Products/Free-Tools/SQL-job-manager)
• JAMS Monitor—With JAMS Monitor, you can manage Windows Task Scheduler and SQL Server jobs and ensure that they’re running successfully from a centralized management console (www.mvpsi.com/FreeMonitor.aspx)
Log Management
• Log Parser 2.2—You can use this tool to access text-based data (e.g., log files, XML files), as well as data sources in Windows (e.g., Active Directory, the event log) (www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07)
• PSSDIAG Data Collection Utility—This diagnostic data collector can be used to gather logs and data files (www.microsoft.com/downloads/details.aspx?familyid=5564386A-28C2-4483-8293-76FFF67B9EB3)
Performance and Monitoring
• ClearTrace—You can use this graphical display tool to summarize query performance data from server-side trace and SQL Server Profiler sessions (www.cleardata.biz/cleartrace/default.aspx)
• DMVStats 1.01—You can use this tool to collect, analyze, and report on performance data from SQL Server 2005 Dynamic Management Views (DMVs) (www.codeplex.com/sqldmvstats)
• Idera’s SQL check—This tool runs as a secure screensaver and monitors your SQL Server systems, as well as offers a look at processes, error logs, and SQL Server Agent jobs (www.idera.com/Products/Free-Tools/SQL-check)
• Internals Viewer for SQL Server—You can use this tool to see how data is allocated, organized, and stored in the SQL Server storage engine (internalsviewer.codeplex.com)
• MDX Script Performance Analyser—You can use this tool to identify which statements in your SQL Server Analysis Services (SSAS) MDX script are negatively affecting MDX query performance (www.codeplex.com/mdxscriptperf)
• Performance Analysis of Logs (PAL) Tool—PAL automates the collection and analysis of performance counters in the Performance Monitor Counter log (www.codeplex.com/PAL)
• Quest Discovery Wizard for SQL Server (beta)—You can use this tool to monitor your network for changes and find all your SQL Server instances (www.quest.com/discovery-wizard-for-sql-server)
• RML Utilities for SQL Server (x86)—With this tool, you can monitor SQL Server performance by processing SQL Server trace files and viewing reports, and test how a specific change will affect your SQL Server systems (www.microsoft.com/downloads/details.aspx?FamilyId=7EDFA95A-A32F-440F-A3A8-5160C8DBE926)
• SQLIOSim—SQLIOSim replicates SQL Server’s types and patterns of I/O requests on a disk subsystem and verifies data similarly to how SQL Server would in a production environment (blogs.msdn.com/sqlserverstorageengine/archive/2006/10/06/SQLIOSim-available-for-download.aspx)
• SQLQueryStress—This tool is helpful when performance stress testing T-SQL queries because it collects data about whether your queries will run under load, and each query’s resource usage (www.datamanipulation.net/sqlquerystress)
• SQL Server 2005 Performance Dashboard Reports—These reports help you quickly identify performance bottlenecks and provide the information necessary to resolve them (www.microsoft.com/downloads/details.aspx?FamilyId=1d3a4a0d-7e0c-4730-8204-e419218c1efc)
• SQL Server Cache Manager—Find out what is being stored in the SQL Server cache and if the cache is being used efficiently with this free tool (www.codeplex.com/sqlservercache)
• SQL Server DBA Dashboard—This tool uses graphs and reports, which are integrated with SSMS, to identify what is using your SQL Server systems’ resources (www.sqlserverexamples.com/v2/Products/tabid/76/Default.aspx)
Prevent SQL Server Injection Attacks
• bsqlbf-v2—This Perl script lets you extract data from blind SQL injections (code.google.com/p/bsqlbf-v2)
• HP Scrawlr—This scanner tool crawls your web pages, checking for SQL injection vulnerabilities (www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx)
• Microsoft Source Code Analyzer for SQL Injection—You can use this tool to find SQL injection vulnerabilities in ASP code (support.microsoft.com/kb/954476)
• URLScan—URLScan restricts the type of HTTP requests Microsoft IIS will process (learn.iis.net/page.aspx/473/using-urlscan)
Web Administration
• SQL Server Hosting Toolkit—The SQL Server Hosting Toolkit offers two tools: the Database Publishing Wizard, which you can use to upload your databases to a hosting environment, and the Database Publishing Services, which offers ASP.NET web services that can make it easier for you to deploy databases (sqlhost.codeplex.com)
• SQL Server Web Tools—This web-based administration tool lets you perform management tasks, including administering accounts, managing databases and tables, and creating and running queries and stored procedures (sqlwebtools.codeplex.com)
• SQL Web Data Administrator—This SQL Server management tool lets you create and edit databases, export and import database schema and data, and more (www.codeplex.com/SqlWebAdmin)
Who Says Nothing in Life Is Free?
Although this list includes dozens of free SQL Server tools, it doesn’t include them all. If you know about a free SQL Server utility that’s not on this list, we want to hear about it: You can email me at mkeller@sqlmag.com. Also, please share your feedback about the tools included in this list in the Tool Time forum at www.sqlmag.com/forums. For even more free tools, see the sidebars “Free SQL Server Projects and Samples” and “Free PowerShell Scripts for SQL Server.”

CCleaner 5.33 Was Hacked !!

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident