Category: System and Network Admins


How to export and import DHCP database

Note: be careful, when backup/restore DHCP. Remove the failover configuration on source DHCP before to perform a backup.

http://westontech.org/backup-and-restore-dhcp-with-failover-configuration-server-2012/

Try netsh dhcp export / import => this old method will not backup the FAILOVER settings. So it will help in your case to restore only the scopes.

 

jacques

A) Using the netsh command (OLD method):

To backup:
netsh dhcp server export d:\dhcpbackup\BackupFile.txt all

To restore:
Performing this task will create a file in the d:\dhcpbackup folder
Copy this file to the computer running Windows Server 2016 that will function as the new DHCP server.
You’ll need to install the DHCP server role on this computer and authorize the DHCP server in Active Directory before performing the following actions.
Open an elevated command prompt and run the following commands (this assumes you’ve copied the file to a folder named d:\dhcpbackup\)

Net stop DHCPserver
Del c:\windows\system32\DHCP\DHCP.mdb
Net start DHCPserver
Netsh dhcp server import d:\dhcpbackup\backupfile.txt
Exit
Net stop DHCPserver
Net start DHCPserver

B) Else using powershell (Recommended):

To backup:
https://docs.microsoft.com/en-us/powershell/module/dhcpserver/export-dhcpserver?view=win10-ps

To restore:
https://docs.microsoft.com/en-us/powershell/module/dhcpserver/import-dhcpserver?view=win10-ps

Advertisements

Following commands to be added twice to Linux and Windows :

Linux:

net ads dns register -P

Windows:

ipconfig /registerdns

Microsoft security compliance toolkit:

Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporte pas Desired Configuration Management de System Center Configuration Manager ou SCAP.

https://www.microsoft.com/en-us/download/details.aspx?id=55319

how to use it:

https://arnaudloos.com/2018/intro-to-policy-analyzer/

https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/security-compliance-toolkit-10.md

 

Attack surface analyzer:

https://github.com/microsoft/AttackSurfaceAnalyzer

 

DSC-EA:

https://github.com/Microsoft/DSCEA

documentation: https://microsoft.github.io/DSCEA/

 

Other references:

2012 R2 hardening (CIS):

https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf

Windows 10 hardening:

https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf

 

 

 

Security baseline reference article:

https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/

Introduction:

Download the content here: Windows-10-1903-Security-Baseline-DRAFT. As usual, the content includes GPO backups, GPO reports, scripts to apply settings to local GPO, Policy Analyzer rules files for each baseline and for the full set, and spreadsheets documenting all available GPOs and our recommended settings, settings that are new to this Feature Update, and changes from the previous baselines.

Note that Windows Server version 1903 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option. In the past we have published baselines only for “full” server releases – Windows Server 2016 and 2019. Beginning with this release we intend to publish baselines for Core-only Windows Server versions as well. However, we do not intend at this time to distinguish settings in the baseline that apply only to Desktop Experience. When applied to Server Core, those settings are inert for all intents and purposes.

This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. The draft baseline recommends configuring only two of those. However, we have made several changes to existing settings, and are considering other changes. Please review the changes carefully and let us know what you think.

The changes from the Windows 10 v1809 and Windows Server 2019 baselines include:

  • Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.
  • Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
  • Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
  • Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. We have added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.
  • Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
  • Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.
  • Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. We are removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.
  • Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings, as it turns out they merely enforce default behavior, as Raymond Chen describes here.

 

 

 

Collection of Web resources about dig usage:

http://www.danesparza.net/2011/05/using-the-dig-dns-tool-on-windows-7/

http://anouar.adlani.com/2011/12/useful-dig-command-to-troubleshot-your-domains.html

https://library.linode.com/linux-tools/common-commands/dig

Download dig (part of Bind):

http://www.isc.org/downloads/

Some commands:

What is the website’s IP address ?

dig +short amazon.com

How to identify the name servers associated with a domain ?

dig NS +short anouar.im

What does the delegation path to my zone look like ?

dig google.com +trace

Which Mail Server is responsible for a domain ?

dig MX adlani.com

Which value is in cache in a given resolver ?

dig google.com @8.8.8.8

Which domain name is this IP associated with ?

dig +short -x 8.8.8.8

Which are the name servers of a TLD ?

dig +short NS nl.

When will the cache of an answer expire ?

dig google.com +noall +answer

Is the zone synchronized to all my NS ?

dig google.com +nssearch

Is a zone existing on this name server ?

dig SOA google.nl @ns1.nic.nl.

Using Dig to Retrieve Different Record Types?

dig srv _jabber._tcp.example.com

Best practices for DNS forwarding:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754941%28v%3dws.10%29

https://www.petri.com/best-practices-for-dns-forwarding

To create a conditional forwarder zone in powershell:

read this reference doc: https://docs.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverconditionalforwarderzone?view=win10-ps

Examples:

To create a conditional forwarder zone (stored in the registry of the DNS Server):

Add-DnsServerConditionalForwarderZone -Name “contoso.com” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c,172.23.90.124 -PassThru

ZoneName                            ZoneType        IsAutoCreated   IsDsIntegrated  IsReverseLookupZone  IsSigned

——–                            ——–        ————-   ————–  ——————-  ——–

contoso.com                         Forwarder       False           False           False

 

This command creates an Active Directory-integrated conditional forwarder zone for contoso.com:

Add-DnsServerConditionalForwarderZone -Name “contoso.com” -ReplicationScope “Forest” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c,172.23.90.124

 

To change an existing conditional forwarder zone, use the cmdlet:

Set-DnsServerConditionalForwarderZone

  • Microsoft Security Response Center: Protection, detection, and response.
  • Malware Protection Center: The Microsoft Malware Protection Center (MMPC) provides world class antimalware research and response capabilities that support Microsoft’s range of security products and services. With laboratories in multiple locations around the globe the MMPC is able to respond quickly and effectively to new malicious and potentially unwanted software threats wherever and whenever they arise.
  • My Bulletins: Is an online tool that provides you with a personalized list of the Microsoft security bulletins that matter most to you. Support for My Bulletins is being deprecated as Microsoft moves to simplify the update terminology and process. Going forward please use the Security Update Guide (SUG) for a more relevant and customizable way to track updates.
  • Security Update Guide (SUG): The Security Update Guide is the authoritative source of information on our security updates. It provides guidance, response, bulletin and advisory information and you can even get Security Update information through the API.
  • CSS YouTube Channel for customers: Now customers get a seamless self-service experience across our support sites and social channels. Check out the new CSS channel on YouTube – view it, like it, subscribe to it. The more activity, the easier it is for customers to find us when they need our help.
  • Blog MS Monthly: Blog MS consolidates a large number of highly relevant and up to date information sources across the Microsoft product and online services portfolio. You can expect to find important announcements and details of Microsoft news, product releases, service packs and important support issues.
  • Microsoft Premier Support: The Microsoft Premier Support (MPS) site is a secure Web site for the exclusive use of Premier Support customers. Note some of the links below may only be available to Premier Support customers. If you currently have Premier Support and don’t have access to MPS, please let your TAM know. Your TAM can get you access to the site.
  • Premier Services Twitter: Microsoft Premier Services is now on Twitter!  This account will share new proactive offerings and product information, links to important articles on TechNet or Microsoft Blogs, important lifecycle updates, and security alerts.  Start following us today!
  • otection, detection, and response.
  • Malware Protection Center: The Microsoft Malware Protection Center (MMPC) provides world class antimalware research and response capabilities that support Microsoft’s range of security products and services. With laboratories in multiple locations around the globe the MMPC is able to respond quickly and effectively to new malicious and potentially unwanted software threats wherever and whenever they arise.
  • My Bulletins: Is an online tool that provides you with a personalized list of the Microsoft security bulletins that matter most to you. Support for My Bulletins is being deprecated as Microsoft moves to simplify the update terminology and process. Going forward please use the Security Update Guide (SUG) for a more relevant and customizable way to track updates.
  • Security Update Guide (SUG): The Security Update Guide is the authoritative source of information on our security updates. It provides guidance, response, bulletin and advisory information and you can even get Security Update information through the API.
  • CSS YouTube Channel for customers: Now customers get a seamless self-service experience across our support sites and social channels. Check out the new CSS channel on YouTube – view it, like it, subscribe to it. The more activity, the easier it is for customers to find us when they need our help.
  • Blog MS Monthly: Blog MS consolidates a large number of highly relevant and up to date information sources across the Microsoft product and online services portfolio. You can expect to find important announcements and details of Microsoft news, product releases, service packs and important support issues.
  • Microsoft Premier Support: The Microsoft Premier Support (MPS) site is a secure Web site for the exclusive use of Premier Support customers. Note some of the links below may only be available to Premier Support customers. If you currently have Premier Support and don’t have access to MPS, please let your TAM know. Your TAM can get you access to the site.
  • Premier Services Twitter: Microsoft Premier Services is now on Twitter!  This account will share new proactive offerings and product information, links to important articles on TechNet or Microsoft Blogs, important lifecycle updates, and security alerts.  Start following us today!

 

Security News!

Security News:

 

2019/03/11:

Operating Systems can be detected using Ping Command, Ping is a computer network administration software utility, which used to find the Availability of a host on an Internet Protocol (IP) network.

https://gbhackers.com/operating-systems-can-be-detected-using-ping-command/

 

2019/02/22:

Corporate firewalls can block reverse and bind TCP connections.However, corporate firewalls are behind internal networks.So we can use PING ICMP Shell:

https://gbhackers.com/icmp-shell-secret/

 

2019/02/03:

Exploiting Malwarebytes antimalware!

https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit/

 

2019/01/24: redteam

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript):

https://github.com/zerosum0x0/koadic

 

 

 

A collection of security articles and web sites, KB, tips and tricks especially for System and Network Administrators, DevOps, Pentesters or Security Researchers.

https://github.com/trimstray/the-book-of-secret-knowledge

 

hacking web sites:

https://thehackernews.com/

https://www.bleepingcomputer.com/

https://www.zataz.com/

 

Passwords databases:

https://haveibeenpwned.com/

https://www.dehashed.com/

https://ghostproject.fr/

https://leaksify.com/

 

The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis:

https://gchq.github.io/CyberChef/

 

 

 

Windows Admin Center:

https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center

Installation:

You can install Windows Admin Center on the following Windows operating systems:

Version Installation mode
Windows 10, version 1709 or newer Desktop mode
Windows Server Semi-Annual Channel Gateway mode
Windows Server 2016 Gateway mode
Windows Server 2019 Gateway mode

Desktop mode: Launch from the Start Menu and connect to the Windows Admin Center gateway from the same computer on which it’s installed (i.e. https://localhost:6516)

Gateway mode: Connect to the Windows Admin Center gateway from a client browser on a different machine (i.e. https://servername.contoso.com)