Microsoft Security compliance toolkit / Windows hardening / GPO settings

Microsoft security compliance toolkit: Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporteContinue reading “Microsoft Security compliance toolkit / Windows hardening / GPO settings”

Microsoft Message Analyzer resources

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/ Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development) Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download Netsh Trace – built-in to operating system Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226 Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx How to message analyzerContinue reading “Microsoft Message Analyzer resources”

How to determine which version of .net framework is installed?

Reference: http://support.microsoft.com/kb/318785 Microsoft .net Framework is a software package that is used by many applications, it runs in a software environment as opposed to hardware environment. Free program called .NET Version Detector ( download here ). PowerShell: how to get version of .net framework on a remote computer: https://gallery.technet.microsoft.com/scriptcenter/Detect-NET-Framework-120ec923 To query the local Registry usingContinue reading “How to determine which version of .net framework is installed?”

Free Tools for System and Network or DB Administrators

Free tools for Windows sysadmin   – Find string if files on Windows: using findstr /s /i findstr /s /i /C:”provider=sqloledb” d:\dir\*.* Find and replace string in file (Find and Replace == fnr) : http://findandreplace.io/download other tool requiring also JAVE: FAR https://sourceforge.net/projects/findandreplace/ – Test SSL and TLS: https://www.qualys.com/sslchecker _Well-known online tools for network engineers: https://dnschecker.org https://www.whois.net/ https://mxtoolbox.com/ https://whatismyipaddress.com/ http://ping-test.org/ https://www.portcheckers.com/Continue reading “Free Tools for System and Network or DB Administrators”

How to configure Windows Event forwarding (WEF) ?

Introduction: In summary: Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers. WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows. WEFContinue reading “How to configure Windows Event forwarding (WEF) ?”

Recommendations concerning NTFS cluster size

Microsoft’s file systems organize storage devices based on cluster size. Also known as the allocation unit size, cluster size represents the smallest amount of disk space that can be allocated to hold a file. Because ReFS and NTFS don’t reference files at a byte granularity, the cluster size is the smallest unit of size thatContinue reading “Recommendations concerning NTFS cluster size”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 12 is available (with new eventID to log copy to the clipboard)! : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and how to use it: WMI detections: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ MITRE framework – sysmon coverage: https://attack.mitre.org/ Installation and usage: Azure Sentinel – monitor servers using Sysmon https://github.com/topics/sysmon https://github.com/clong/DetectionLab https://github.com/olafhartong/sysmon-modular https://github.com/ion-storm/sysmon-config https://github.com/SwiftOnSecurity/sysmon-config List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir Motiba:Continue reading “Windows forensic: Sysmon”

SQL Server and Databases resources

Resources: SQL Server performance: http://wp.me/p15Zft-8h SQL Server Video archive: https://technet.microsoft.com/en-us/dn912438 Database tasks: https://technet.microsoft.com/en-us/library/ms165730(v=sql.105).aspx T-SQL reference: https://technet.microsoft.com/en-us/library/ms189826(v=sql.90).aspx SQL performance and troubleshooting: http://sqlnexus.codeplex.com/ Microsoft companion (MOC): http://www.microsoft.com/en-us/learning/companion-moc.aspx Web sites: http://guimberteau.net http://sqlpro.developpez.com http://sqlmag.com Tips and tricks: PowerShell: import-module SQLPS Placement of tempdb in a dedicated disk (Raid 1) ,  same for log files  (RAID 1 or 10) andContinue reading “SQL Server and Databases resources”

How to conduct IT interviews?

During the hard exercise to recruit an IT Pros, you are obliged to ask questions, here are links to some Q&A: http://www.techiebird.com/sendmail.html https://www.brentozar.com/archive/2009/07/top-10-interview-questions-for-windows-sysadmins/ http://www.01world.in/p/windows.html http://resources.intenseschool.com/top-interview-questions-for-system-administrators-microsoft/ https://www.toptal.com/sql/interview-questions https://dwbi.org/database/sql/72-top-20-sql-interview-questions-with-answers http://www.indiabix.com/technical/sql-server-common-questions/ https://www.linux.com/blog/10-job-interview-questions-linux-system-administrators http://computernetworkingnotes.com/rhce-interview-questions/linux-interview-questions-for-experienced.html    

What if PSRemoting and Unrestricted Execution are disabled?

Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon Option 1 — WMI: PS C:\> wmic /node:”10.10.10.10″ process call create “powershell -noprofile -command Enable-PsRemoting -Force” -Credential Get-Credential Option 2 – PsExec: PS C:\> PsExec.exe \\10.10.10.10 -u [admin account name] -p [admin account password] -h -d powershell.exe “Enable-PSRemoting -Force” Next… PSContinue reading “What if PSRemoting and Unrestricted Execution are disabled?”