AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: Les 4 piliers de la sécurité Active Directory https://www.cert.ssi.gouv.fr/uploads/guide-ad.html https://github.com/PaulSec/awesome-windows-domain-hardening Pingcastle: to audit an AD domain https://www.pingcastle.com/ AD explorer (sysinternals): https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer Microsoft audit Policy settings and recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations Sysinternals sysmon: to audit and control changes https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On ADsecurity.org: Beyond domain admins: https://adsecurity.org/?p=3700 Gathering AD data with PowerShell: https://adsecurity.org/?p=3719Continue reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

SMB explained

Full article: https://401trg.com/an-introduction-to-smb-for-network-security-analysts/   Introduction: At its most basic, SMB is a protocol to allow devices to perform a number of functions on each other over a (usually local) network. SMB has been around for so long and maintains so much backwards compatibility that it contains an almost absurd amount of vestigial functionality, but itsContinue reading “SMB explained”

Kerberos is not used when you connect to SMB shares by using IP address

When you connect to remote Server Message Block (SMB) services shares by using \\192.x.y.z\share name, Kerberos is not used, and the Internet Protocol (IP) SMB file share access does not use Kerberos. A network trace shows the following Kerberos error in the KRB_ERROR: Server not found in Kerberos database Cause: By default, Microsoft Windows ServerContinue reading “Kerberos is not used when you connect to SMB shares by using IP address”

Certsrv prompted for credentials !

One of the issues we run into when requesting new certificates from ADCS is the dreaded 401 Unauthorized issue with Certsrv. Symptom Type the URL for your Certificate Server http://server/certsrv You are prompted for administrator credentials You enter said credentials You are again prompted for administrator credentials You enter said credentials You are presented withContinue reading “Certsrv prompted for credentials !”