Audit windows files

Windows file system auditing is an important mean to keep your security high, Article:  PowerShell script: Extract: First, you need to enable File system auditing using GPO setting: In the Group Policy editor, click through to Computer Configuration -> Policies -> Windows Settings -> Local Policies. Click on Audit Policy. You can add many auditing options toContinue reading “Audit windows files”

Security : Systems forensics and free tools

Based on my 25 years experience as sysadmin, I recommend you the free tools below for forensic analysis and systems assessment: Repair tools: Windows privilege escalation: Blog hacker playbook mindmap (poster): SANS DFIR hunting evil Windows map (poster): Windows systems: Linux privilege escalation: Blogs and web sites: 51 Tools for Security AnalystsContinue reading “Security : Systems forensics and free tools”

Microsoft Security compliance toolkit / Windows hardening / GPO settings

Microsoft security compliance toolkit: Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporteContinue reading “Microsoft Security compliance toolkit / Windows hardening / GPO settings”

How to deploy latest Windows GPO ?

The Central Store. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a Windows domain controller. The Central Store is a file location that is checked by the Group Policy tools by default. The Group Policy tools use all .admx files that are inContinue reading “How to deploy latest Windows GPO ?”

How to with Regular expressions

Hi, if you are using regular expressions, I recommend you the following tools and sites: Regex tools to learn, build, test regular expressions: Tutorials about regexp:   Examples: .at matches any three-character string ending with “at”, including “hat”, “cat”, and “bat”. [hc]at matches “hat” and “cat”. [^b]at matchesContinue reading “How to with Regular expressions”

Security baseline for Windows Operating system

Security baseline reference article: Download the latest version: Introduction: Download the content. As usual, the content includes GPO backups, GPO reports, scripts to apply settings to local GPO, Policy Analyzer rules files for each baseline and for the full set, and spreadsheets documenting all available GPOs and our recommended settings, settings that are new toContinue reading “Security baseline for Windows Operating system”

Hacking and Securing Active Directory

Hacking techniques for AD: “state of the art” (but scary!) with possible mitigation (when possible) + a few new methods… For GPO Audit : Spraykatz: ReverseTCP shell: Securing AD: AD Explorer: AD Authentication silos and more: MS white-paper best practicesContinue reading “Hacking and Securing Active Directory”

Authentication Silos and policies

Reference: To use Authenticated silos, you need a 2012 R2 Domain functional level on the forest. Their are part of the configuration partition (so, at the forest level), replicated on all domain controllers   Videos:

AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: Pingcastle: to audit an AD domain AD explorer (sysinternals): Microsoft audit Policy settings and recommendations: Sysinternals sysmon: to audit and control changes!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On Beyond domain admins: Gathering AD data with PowerShell: Hardening Windows computers, secure Baseline check list: reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Troubleshooting Account locked out; EventID 4740,4625,4771

Troubleshooting Account Lockouts has become an IT admin routine nowadays; You can find more possible root causes in our Account Lockout Troubleshooting Guide – Possible root causes: Persistent drive mappings with expired credentials Mobile devices using domain services like Exchange mailbox Service Accounts using cached passwords Scheduled tasks with expired credentials Programs using storedContinue reading “Troubleshooting Account locked out; EventID 4740,4625,4771”