Category: Windows Server/Client


Behind this catchy title is a real need. As a system administrator, it may be worthwhile to audit all of your organization’s Active Directory accounts to assess the level of security for user accounts. Let’s see how we do it!

Web resources and Methods:

Source: http://thehackernews.com/2017/07/windows-10-ubuntu-linux.html

Windows and Linux in the same line? Yes, you heard that right… and that too, on the same computer and within the same operating system.

Two months ago, Microsoft announced its plans to let its users install three different flavours of the Linux operating system – Ubuntu, Fedora, and SUSE – directly through their Windows Store, allowing them to run Windows and Linux apps side-by-side.

Now, downloading an entire operating system has just become as easy as downloading an application with the availability of popular Linux distro ‘Ubuntu’ in the Windows App Store.

However, unlike a conventional Ubuntu installation, this Ubuntu version runs in a sandboxed alongside Windows 10 with limited interaction with the operating system and is focused on running regular command-line utilities like bash or SSH as a standalone installation through an Ubuntu Terminal.

For now, Ubuntu is currently only available to Windows 10 Insiders users and would be made available to the public with the upcoming Windows 10 Fall Creator Update, which is expected to release in September/October 2017.

Here’s How to Install and Run Ubuntu on Windows 10

Users registered in Windows 10 Insiders Program with at least “Build 16215” installed can directly install Ubuntu from the Windows Store, which will allow them to “use Ubuntu Terminal and run Ubuntu command line utilities including bash, ssh, git, apt and many more.”

After installing Ubuntu, Windows 10 users will require enabling “Windows Subsystem for Linux” that was previously added to Windows 10.

What’s new in ADFS 2016?

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server-2016?f=255&MSPPError=-2147217396

  • Eliminate Passwords from the Extranet
  • Sign in with Azure Multi-factor Authentication
  • Password-less Access from Compliant Devices
  • Sign in with Microsoft Passport
  • Secure Access to Applications
  • Better Sign in experience
  • Manageability and Operational Enhancements

 

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario. Also another upgrade procedure:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016

 

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 1

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 2

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 3 – Azure MFA Integration

 

ADFS 2016 operations

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-2016-operations

ADFS 2016 deployment

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-deployment

ADFS 2016 design

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide

To detect lateral movement on Windows infrastructure I recommend to collect the following events:

It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS).

Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon):
=> Collect events and send to a SIEM (splunk, logrythm …) or even Windows Event collector (WEF)

Reference:

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

Disabling SMB v1 (lanmanserver “server service only”) on windows computers/servers:

Full version: https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

 

My recommendation:

a) for domain-based computers: use GPO “group policy object” to deploy the registry key to disable SMBv1 (server-side only) protocol on all systems (A reboot is required to take effect)

 

b) for isolated computer or non/domain joined computers: use the following command line to modify the lanmanserver registry key properly

 

Implementation – Technical details:

 

a) for domain-based computers, create a GPO or modify an existing GPO applied to computers only, to add the following registry key:

 

for domain-based computers, to create the GPO setting to disable SMB v1, use GPMC, Computer configuration, preferences, windows settings, registry, right-click, new registry item,

 

keep: Update,

Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

 

Value: SMB1

Data: REG_DWORD 0

 

Note: To re-enable it

REG_DWORD: 1 = Enabled

Default: 1 = Enabled

 

 

b) for isolated computer or non/domain joined computers:

 

b.1) For Windows 8 and Windows server 2012 or greater (Note: not supported on Windows 7):

To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

 

Get-SmbServerConfiguration | Select EnableSMB1Protocol

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-SmbServerConfiguration -EnableSMB1Protocol $false

 

b.2) For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

 

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server

2008, use Windows PowerShell or Registry Editor.

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-ItemProperty –Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

 

To assess the impact:

 

This article contain a table to understand what version you will end up, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server.

https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/

 

 

This article contain a table to understand what version you will end up, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server.

https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/

What is DSRM?

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

Note: Do not confuse DSRM with Safe Mode. Active Directory will still attempt to start in Safe Mode and if it fails you will not be able to log on. Instead use DSRM.

You can log on to DSRM by using a special DSRM password that you set when you promoted the domain controller. Use the logon account name .\Administrator

Windows Server 2008-2016: DSRM is only needed when you are using remote desktop software, or when doing a domain-wide restore or a forest-wide restore, or when AD is so damaged that it will not boot.

How to Log on to DSRM

After booting DSRM (see below) click on Switch User -> Other User. When prompted for the logon account name type .\Administrator

The initial logon prompt will show the account name MyDomain\Administrator, where MyDomain is the name of the domain. This is incorrect and will not work. You must click on Switch User and manually type the name .\Administrator.

If you forgot the DSRM password, you can reset the password using ntdsutil. See Reset DSRM Password on Internet.

If you forgot the DSRM password and you also forgot your Active Directory password, see Changing a Lost Domain Administrator Password on Internet.
How to Boot DSRM: F8 Key

To manually boot in Directory Services Restore Mode, press the F8 key repeatedly. Do this immediately after BIOS POST screen, before the Windows logo appears. (Timing can be tricky; if the Windows logo appears you waited too long.) A text menu menu will appear. Use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Then press the Enter key.

Windows 8 or later: The F8 key is disabled on desktop editions of Windows 8 or later. If you want to boot into Safe Mode, run msconfig and select Minimal. Then reboot.
How to Boot DSRM: msconfig.exe

You can configure Windows to boot DSRM using msconfig.exe:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” check the box Safe boot.
5.Select Active Directory repair and click OK.
6.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer into DSRM.

To boot normally, reverse the procedure:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” uncheck the box Safe boot and click OK.
5.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer back into normal mode.
How to Boot DSRM: Bcdedit

On Windows Server 2008 or later you can run bcdedit inside of an administrative console:
1.To boot DSRM, type the command bcdedit /set safeboot dsrepair, then reboot: shutdown /r /f /t 5.
2.When you are ready to boot normally, type bcdedit /deletevalue safeboot, then reboot: shutdown /r /f /t 5.

You can use this procedure when a graphical user interface (GUI) is not available (e.g., on Server Core).

https://www.myotherpcisacloud.com/post/SRV-Record-for-NTP-In-MY-Active-Directory

 

View story at Medium.com

Microsoft Fasttrack use cases: productivity library

Office 365 deployment advisors: Deployment advisors