Category: Windows Server/Client


To detect lateral movement on Windows infrastructure I recommend to collect the following events:

It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS).

Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon):
=> Collect events and send to a SIEM (splunk, logrythm …) or even Windows Event collector (WEF)

 

Disabling SMB v1 (lanmanserver “server service only”) on windows computers/servers:

Full version: https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

 

My recommendation:

a) for domain-based computers: use GPO “group policy object” to deploy the registry key to disable SMBv1 (server-side only) protocol on all systems (A reboot is required to take effect)

 

b) for isolated computer or non/domain joined computers: use the following command line to modify the lanmanserver registry key properly

 

Implementation – Technical details:

 

a) for domain-based computers, create a GPO or modify an existing GPO applied to computers only, to add the following registry key:

 

for domain-based computers, to create the GPO setting to disable SMB v1, use GPMC, Computer configuration, preferences, windows settings, registry, right-click, new registry item,

 

keep: Update,

Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

 

Value: SMB1

Data: REG_DWORD 0

 

Note: To re-enable it

REG_DWORD: 1 = Enabled

Default: 1 = Enabled

 

 

b) for isolated computer or non/domain joined computers:

 

b.1) For Windows 8 and Windows server 2012 or greater (Note: not supported on Windows 7):

To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

 

Get-SmbServerConfiguration | Select EnableSMB1Protocol

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-SmbServerConfiguration -EnableSMB1Protocol $false

 

b.2) For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

 

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server

2008, use Windows PowerShell or Registry Editor.

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-ItemProperty –Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

 

To assess the impact:

 

This article contain a table to understand what version you will end up, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server.

https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/

 

 

This article contain a table to understand what version you will end up, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server.

https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/

What is DSRM?

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

Note: Do not confuse DSRM with Safe Mode. Active Directory will still attempt to start in Safe Mode and if it fails you will not be able to log on. Instead use DSRM.

You can log on to DSRM by using a special DSRM password that you set when you promoted the domain controller. Use the logon account name .\Administrator

Windows Server 2008-2016: DSRM is only needed when you are using remote desktop software, or when doing a domain-wide restore or a forest-wide restore, or when AD is so damaged that it will not boot.

How to Log on to DSRM

After booting DSRM (see below) click on Switch User -> Other User. When prompted for the logon account name type .\Administrator

The initial logon prompt will show the account name MyDomain\Administrator, where MyDomain is the name of the domain. This is incorrect and will not work. You must click on Switch User and manually type the name .\Administrator.

If you forgot the DSRM password, you can reset the password using ntdsutil. See Reset DSRM Password on Internet.

If you forgot the DSRM password and you also forgot your Active Directory password, see Changing a Lost Domain Administrator Password on Internet.
How to Boot DSRM: F8 Key

To manually boot in Directory Services Restore Mode, press the F8 key repeatedly. Do this immediately after BIOS POST screen, before the Windows logo appears. (Timing can be tricky; if the Windows logo appears you waited too long.) A text menu menu will appear. Use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Then press the Enter key.

Windows 8 or later: The F8 key is disabled on desktop editions of Windows 8 or later. If you want to boot into Safe Mode, run msconfig and select Minimal. Then reboot.
How to Boot DSRM: msconfig.exe

You can configure Windows to boot DSRM using msconfig.exe:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” check the box Safe boot.
5.Select Active Directory repair and click OK.
6.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer into DSRM.

To boot normally, reverse the procedure:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” uncheck the box Safe boot and click OK.
5.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer back into normal mode.
How to Boot DSRM: Bcdedit

On Windows Server 2008 or later you can run bcdedit inside of an administrative console:
1.To boot DSRM, type the command bcdedit /set safeboot dsrepair, then reboot: shutdown /r /f /t 5.
2.When you are ready to boot normally, type bcdedit /deletevalue safeboot, then reboot: shutdown /r /f /t 5.

You can use this procedure when a graphical user interface (GUI) is not available (e.g., on Server Core).

https://www.myotherpcisacloud.com/post/SRV-Record-for-NTP-In-MY-Active-Directory

 

View story at Medium.com

Microsoft Fasttrack use cases: productivity library

Office 365 deployment advisors: Deployment advisors

 

What’s new in ADFS 2016?

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server-2016?f=255&MSPPError=-2147217396

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario.

 

For reference, here is the link to Mozilla official best practices for enterprise deployment:

https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment

GPO settings for Firefox:

https://sourceforge.net/projects/firefoxadmx/

https://support.olfeo.com/kb/article/2121

https://www.websense.com/content/support/library/web/hosted/getting_started/apply_policy.aspx

 

 

Technet article: https://technet.microsoft.com/en-us/library/cc978014.aspx

” Explanation:

When a requested object exists in the directory but is not present on the contacted domain controller, name resolution depends on that domain controller’s knowledge of how the directory is partitioned. In a partitioned directory, by definition, the entire directory is not always available on any one domain controller.

An LDAP referral is a domain controller’s way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the referred-to domain controller to generate yet another referral, although it usually does not take long to discover that the object does not exist and to inform the client. Active Directory returns referrals in accordance with RFC 2251. ”

Atlassian KB article: https://confluence.atlassian.com/confkb/user-lookups-fail-with-partialresultexceptions-due-to-active-directory-follow-referrals-configuration-612959323.html