Category: Security




MCAS and AIP:–AIP-Integrations?term=AIP&lang-en=true


Security Community:

Microsoft security compliance toolkit:

Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporte pas Desired Configuration Management de System Center Configuration Manager ou SCAP.

Other references:

2012 R2 hardening (CIS):

Windows 10 hardening:




To test SSL/TLS and much more you can use the free online tool from Qualys:


Links related to TLS which I have consulted: Solving the TLS problem ==>

Managing SSL/TLS Protocols and Cipher Suites for AD FS ==>

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll ==>

TLS/SSL Settings ==>


Querying the Windows Security Account Manager (SAM) remotely via the SAM-Remote (SAMR) protocol against their victim’s domain machines, allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network. Recently, some frameworks (e.g. BloodHound) have automated that mapping process.

By default, the SAM can be accessed remotely (via SAMR) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 1607) the default permissions were changed to allow remote access only to administrators. An accompanying Group Policy setting was added, which gives a user-friendly interface to alter these default permissions.

SAMR: Remote Querying of SAM

The Security Account Manager Remote Protocol (SAMR) exposes the security accounts manager database for a remote authenticated domain user. It does so for both local and domain accounts. There are five objects that are exposed by the protocol; server, domain, group, alias and user. All these objects can be updated and read, and some (user, group and alias) can also be created and deleted.

Flow and Usage

The basic flow of using the SAMR protocol is as such:

  1. Connect to a server (the remote machine).
  2. Enumerate/lookup the server for domains.
  3. Open the domain of interest.
  4. Lookup a user or alias/group in the domain.
  5. Open the user/alias of interest.
  6. Query the user/alias of interest.

There are a few tools that utilize these API calls, such as Net User/Group, PowerSploit’s Get-NetLocalGroup and Imapcket’s SAMRdump. Net User and Net Group are Windows built-in command line tools. With these tools an authenticated user can add or modify and display information on users or groups respectively on the local machine or its domain controller. The Get-NetLocalGroup queries a remote machine for its local groups (including the “Administrators” and “Users” groups). SAMRdump, queries the target machine for its local users (using the EnumDomainUsers on the target machine). MicrosoftATA detects the use of such query and alerts the security administrator about it.

Hardening SAM Remote access:




GPO Basics:

1) Structure of a GPO:

Group Policy Container (GPC) which exists in Active Directory

and the Group Policy Template (GPT) where the actual content of your GPOs resides.

A third component, known as Client-Side Extensions (CSEs) can be found on client devices and are necessary for them to properly process the Group Policies assigned to them.


2) GPO processing (LSDOU):


3) GPO troubleshooting:


GPO management with PowerShell:

Powershell – how to translate a GPO GUID to Name?

Get-GPO -GUID “{AD7E3746-7135-496B-A1F5-B5B11871F96F}”

Powershell – how list all GPOs?

Get-GPO -all

Get-GPo -all | ft -autosize

Get-GPO -all | out-gridview

Powershell – how many GPOs?

(get-gpo -all).count

Powershell – how to translate a GPO Name to GUID?

PS Z:\ADGPO management> Get-GPO -all | where {$ -like “bd9df1be-3663-4cb4-bb71-35f7e27c691f”} | select id,displayname | ft -autosize

Id                                   DisplayName
—                                   ———–
bd9df1be-3663-4cb4-bb71-35f7e27c691f Corporate-A-All-Settings-Restore


Powershell – create and link a GPO?


PS C:\> Get-GPStarterGPO -Name “Laptops”
Next, you can use the New-GPO cmdlet to create the new GPO from your Starter GPO as follows:

PS C:\> New-GPO -Name “France-Laptops” -StarterGpoName “Laptop”

Finally, you can link the new GPO to the targeted OU as follows:

PS C:\> New-GPLink -Name “France-Laptops” -Target “ou=computers,ou=France,dc=hq,dc=mydomain,dc=com”

Alternatively, by using the Windows PowerShell pipeline feature, you can create and link the GPO using a single command.

Windows Admin Center:


You can install Windows Admin Center on the following Windows operating systems:

Version Installation Mode
Windows 10 (1709) Desktop mode
Windows Server, version 1709 Gateway mode
Windows Server 2016 Gateway mode

Desktop Mode: Connect to the Windows Admin Center gateway from the same computer on which it’s installed (for example, https://localhost:6516)

Gateway Mode: Connect to the Windows Admin Center gateway from a client browser on a different machine (for example, https://servername)