Category: Web server


Attack surface analyzer:

https://www.microsoft.com/security/blog/2019/05/15/announcing-new-attack-surface-analyzer-2-0

 

DSC-EA:

https://github.com/Microsoft/DSCEA

documentation: https://microsoft.github.io/DSCEA/

 

Microsoft security compliance toolkit:

Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporte pas Desired Configuration Management de System Center Configuration Manager ou SCAP.

https://www.microsoft.com/en-us/download/details.aspx?id=55319

how to use it:

https://arnaudloos.com/2018/intro-to-policy-analyzer/

https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/security-compliance-toolkit-10.md

 

Other references:

2012 R2 hardening (CIS):

https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf

Windows 10 hardening:

https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf

 

 

 

Advertisements

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

  1. Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development)
  2. Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download
  3. Netsh Trace – built-in to operating system
  4. Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226

Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx

How to message analyzer on YouTube: https://www.youtube.com/watch?v=e0v0RsQVdT8

As you might guess from the name, Message Analyzer is much more than a network sniffer or packet tracing tool.  Key capabilities include:

  • Integrated “live” event and message capture at various system levels and endpoints (client and server remotely !)
  • Remote capture (capture multiple point concurrently)
  • Parsing and validation of protocol messages and sequences
  • Automatic parsing of event messages described by ETW manifests
  • Summarized grid display – top level is  “operations”, (requests matched with responses)
  • User controlled “on the fly” grouping by message attributes
  • Ability to browse for logs of different types (.cap, .etl, .txt) and import them together
  • Automatic re-assembly and ability to render payloads
  • Ability to import text logs, parsing them into key element/value pairs
  • Support for “Trace Scenarios” (one or more message providers, filters, and views)

Other articles:

Use message analyzer to convert a .etl to .cap: https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/analyze-netsh-traces-with-wireshark-or-network-monitor/

 

Capture a network trace using netsh:

https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/capture-a-netsh-network-trace/

 

  1. To learn more about your nmcap options, enter “nmcap /?” or “nmcap /examples”
  2. Wireshark training can be found at https://www.wireshark.org/#learnWS.
  3. For more information on Message Analyzer, check out the blog at https://blogs.technet.microsoft.com/messageanalyzer/.
  4. Message Analyzer training videos can be found at https://www.youtube.com/playlist?list=PLszrKxVJQz5Uwi90w9j4sQorZosTYgDO4.
  5. Message Analyzer Operating Guide – https://technet.microsoft.com/en-us/library/jj649776.aspx
  6. Information on the Message Analyzer PowerShell module can be found at https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx.
  7. Remote captures with MMA – https://blogs.technet.microsoft.com/messageanalyzer/2013/10/17/remote-capture-with-message-analyzer-and-windows-8-1/

Windows Admin Center:

https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center

Installation:

You can install Windows Admin Center on the following Windows operating systems:

Version Installation mode
Windows 10, version 1709 or newer Desktop mode
Windows Server Semi-Annual Channel Gateway mode
Windows Server 2016 Gateway mode
Windows Server 2019 Gateway mode

Desktop mode: Launch from the Start Menu and connect to the Windows Admin Center gateway from the same computer on which it’s installed (i.e. https://localhost:6516)

Gateway mode: Connect to the Windows Admin Center gateway from a client browser on a different machine (i.e. https://servername.contoso.com)

To test SSL/TLS and much more you can use the free online tool from Qualys: https://www.ssllabs.com/ssltest/index.html

Third-party Tool: https://www.nartac.com/Products/IISCrypto/Download

 

Links related to TLS which I have consulted: Solving the TLS problem ==> https://www.microsoft.com/en-us/download/details.aspx?id=55266

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll ==> https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

TLS/SSL Settings ==> https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10

Managing SSL/TLS Protocols and Cipher Suites for ADFS:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

https://jorgequestforknowledge.wordpress.com/2017/03/01/hardening-disabling-weak-ciphers-hashes-and-protocols-on-adfs-wap-aad-connect/

 

C:\Windows\System32\inetsrv\appcmd.exe set config /section:applicationPools /[name=’myapppool’].processModel.identityType:SpecificUser /[name=’myapppool’].processModel.userName:’mydomain\user1′ /[name=’myapppool’].processModel.password:’PassW0rd’

This was one of the main blockers of Firefox adoption in the enterprise : https://bugzilla.mozilla.org/show_bug.cgi?id=1433136

 

Reference: http://support.microsoft.com/kb/318785

Microsoft .net Framework is a software package that is used by many applications, it runs in a software environment as opposed to hardware environment.

Free program called .NET Version Detector ( download here ).

PowerShell: how to get version of .net framework on a remote computer: https://gallery.technet.microsoft.com/scriptcenter/Detect-NET-Framework-120ec923

To query the local Registry using PowerShell, execute the below command in an elevated PowerShell session.

(Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full’  -Name Release).Release

You can then use the table below to reference the installed version of .NET. For instance, if the returned value is 379893, then .NET 4.5.2 is installed.

Run the script below on the client machine that’s generating the WMI corruption errors. It recompiles all .mof WMI files found in the %windir%\System32\Wbem\Repository folder.

  • @ECHO OFFsc config winmgmt start= auto

    reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d “Y” /f
    reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyAuthenticationLevel /t REG_DWORD /d “2” /f
    reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyImpersonationLevel /t REG_DWORD /d “3” /f

    reg delete HKLM\SOFTWARE\Microsoft\Ole /v DefaultLaunchPermission /f
    reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineAccessRestriction /f
    reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineLaunchRestriction /f

    NET STOP SharedAccess

    NET STOP winmgmt

    CD %WINDIR%\System32\Wbem\Repository
    DEL /F /Q /S %WINDIR%\System32\Wbem\Repository\*.*
    CD %WINDIR%\system32\wbem

    REGSVR32 /s %WINDIR%\system32\scecli.dll
    REGSVR32 /s %WINDIR%\system32\userenv.dll

    MOFCOMP cimwin32.mof
    MOFCOMP cimwin32.mfl
    MOFCOMP rsop.mof
    MOFCOMP rsop.mfl
    FOR /f %%s IN (‘DIR /b /s *.dll’) DO REGSVR32 /s %%s
    FOR /f %%s IN (‘DIR /b *.mof’) DO MOFCOMP %%s
    FOR /f %%s IN (‘DIR /b *.mfl’) DO MOFCOMP %%s
    MOFCOMP exwmi.mof
    MOFCOMP -n:root\cimv2\applications\exchange wbemcons.mof
    MOFCOMP -n:root\cimv2\applications\exchange smtpcons.mof
    MOFCOMP exmgmt.mof

    rundll32 wbemupgd, UpgradeRepository

    NET STOP Cryptsvc
    DEL /F /Q /S %WINDIR%\System32\catroot2\*.*
    DEL /F /Q C:\WINDOWS\security\logs\*.log
    NET START Cryptsvc

    cd c:\windows\system32
    lodctr /R
    cd c:\windows\sysWOW64
    lodctr /R

    WINMGMT.EXE /RESYNCPERF

    msiexec /unregister
    msiexec /regserver
    REGSVR32 /s msi.dll

    NET START winmgmt
    NET START SharedAccess

    Execute the commands below in an elevated Command Prompt on the client machine that’s generating the WMI corruption errors. This is an alternate way of resetting the WMI repository to the initial state when the operating system was first installed:

          Winmgmt.exe /standalonehost
          Winmgmt.exe /resetrepository

          Winmgmt.exe /salvagerepository

 

  • Execute the command below in an elevated Command Prompt on the client machine that’s generating the WMI corruption errors. It checks the integrity of Windows operating system files and attempts to repair errors it finds.
    sfc /scannow
  • If all else fails, reinstall the Windows operating system on the client machine that’s generating the WMI corruption errors.

 

Understanding ADFS and Federation by a example:

https://blogs.technet.microsoft.com/askpfeplat/2018/01/29/adfs-monitoring-a-relying-party-for-certificate-changes/

Comparing SAML, WS-FED and OAuth: https://blogs.technet.microsoft.com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/

What’s new in ADFS 2016?

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server

  • Eliminate Passwords from the Extranet
  • Sign in with Azure Multi-factor Authentication
  • Password-less Access from Compliant Devices
  • Sign in with Microsoft Passport
  • Secure Access to Applications
  • Better Sign in experience
  • Manageability and Operational Enhancements

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario. Also another upgrade procedure:

  1. Active Directory schema update using ‘ADPrep’ with the Windows Server 2016 additions
  2. Build Windows Server 2016 servers with ADFS and install into the existing farm and add the servers to the Azure load balancer
  3. Promote one of the ADFS 2016 servers as “primary” of the farm, and point all other secondary servers to the new “primary”
  4. Build Windows Server 2016 servers with WAP and add the servers to the Azure load balancer
  5. Remove the WAP 2012 servers from the Azure load balancer
  6. Remove the ADFSv3 servers from the Azure load balancer
  7. Raise the Farm Behavior Level feature (FBL) to ‘2016’
  8. Remove the WAP servers from the cluster
  9. Upgrade the WebApplicationProxyConfiguration version to ‘2016’
  10. Configure ADFS 2016 to support Azure MFA and complete remaining configuration

https://blog.kloud.com.au/2017/01/20/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-1/

https://blog.kloud.com.au/2017/01/23/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-2/

https://blog.kloud.com.au/2017/01/25/wap-2012-r2-migration-to-wap-2016/

Other links:

http://www.mrchiyo.com/migrating-mixed-mode-ad-fs-full-windows-server-2016-ad-fs-farm/

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server

http://blog.ryanbetts.co.uk/2017/02/upgrade-adfs-30-to-40-with-windows.html

https://araihan.wordpress.com/2017/03/20/upgrading-ad-fs-to-windows-server-2016-fbl/

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016

ADFS 2016 operations and management best practices

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-2016-operations

https://flamingkeys.com/ad-fs-windows-server-2016-best-practices/

ADFS 2016 how to change SSL certificate:

Note: remove the user account who will change the SSL using AADconnect or Set-AdfsSSLCertificate cmdlet from the Active Directory Protected users group, else you will get a access denied due to problem with invoke-command or winrm

Standard method: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap

with AADConnect: https://docs.microsoft.com/fr-fr/azure/active-directory/hybrid/how-to-connect-fed-ssl-update

ADFS Required updates

https://docs.microsoft.com/en-au/windows-server/identity/ad-fs/deployment/updates-for-active-directory-federation-services-ad-fs

ADFS 2016 deployment

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-deployment

ADFS 2016 design, Sign-in pages customization

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide

https://github.com/Microsoft/adfsWebCustomization/tree/master/centeredUi

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages

Web article:

https://technet.microsoft.com/en-us/library/cc784450(v=ws.10).aspx

https://blogs.technet.microsoft.com/askpfeplat/2017/11/13/demystifying-schannel/

Links related to TLS which I have consulted: Solving the TLS problem ==> https://www.microsoft.com/en-us/download/details.aspx?id=55266

Managing SSL/TLS Protocols and Cipher Suites for AD FS ==> https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll ==> https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

TLS/SSL Settings ==> https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10

How to test SSL/TLS:

with online scanner:

https://www.ssllabs.com/ssltest/index.html

with openssl:

You can easily see what SSL protocol a server supports (and even grab the certificate from there) example below with openSSL:

openssl s_client -connect myserver.mydomain.local:636 -ssl3
openssl s_client -connect myserver.mydomain.local:636 -tls1
openssl s_client -connect myserver.mydomain.local:636 -tls1_1
openssl s_client -connect myserver.mydomain.local:636 -tls1_2

All those reports successfull connection SSL handshake and present the proper server certificate.

And it is very easy anyway for a client to get supported SSL protocols on a remote server, it is how client <==> server handshake works to
select an agreed protocol supported on both sides.

I suggest you check on application side …

# nmap –script ssl-enum-ciphers -p 636 myserver.mydomain.local

Starting Nmap 6.46 ( http://nmap.org ) at 2017-02-16 18:22 CET
Nmap scan report for myserver.mydomain.local (172.19.133.64)
Host is up (0.025s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_RC4_128_MD5 – strong
| TLS_RSA_WITH_RC4_128_SHA – strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_AES_128_CBC_SHA – strong

 

How to disable TLS 1.0, 1.1

https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

https://blogs.technet.microsoft.com/exchange/2018/05/23/exchange-server-tls-guidance-part-3-turning-off-tls-1-01-1/

Registry values to disable TLS 1.0 and 1.1:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

How to enable TLS 1.2:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001