Hacker - Defending Active Directory Against Cyberattacks

Here is a very interesting Microsoft Virtual Academy about Active directory Security.

https://mva.microsoft.com/en-US/training-courses/defending-active-directory-against-cyberattacks-16327?l=Gj8k5XsSC_2004300474


Interested in the why, how, and what of Active Directory (AD) and enterprise protection? This course has the answers you need to help you defend AD against cyberattacks. Learn from the experts, as they look at Active Directory from an enterprise risk perspective. The key to success is knowing what your high-value assets are, securing them, and securing their dependencies.

Whether your digital assets are on-premises or in the cloud, join us to explore the AD environment, today’s adversaries, relationship dynamics, and strategic prioritization, along with adoption of least privilege. Take a look at the different aspects of Active Directory security, based on findings from the Microsoft Cybersecurity Services team, learn strategies to protect privileged identities in your environment, and finish the course with a roadmap for hardening your AD environment. Defenders should be as extremely adaptive as adversaries are these days, and this course is a great place to start.

1 | Active Directory Security: First Things First
Take a look at the sophisticated threats that target Active Directory. Examine the anatomy of a cyberattack, and review the basics of Active Directory security.
2 | Adopt Least Privilege
Learn about the centricity of Active Directory, further explore Tier 0, and understand the importance of assigning least privilege, including its role in your organization’s cyberdefense strategy.
3 | Protect Privileged Identities
Adversaries leverage privileged identities, the primary attack vector, to persist and expand the scope of compromise. Learn strategies to protect privileged identities in your environment.
4 | Defend Your Directory
Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence and escalation of privilege.
5 | Defend Your Domain Controllers
Protecting Domain Controller hosts is fundamental to maintain the integrity of the overall access model and security boundary provided by Active Directory. Learn how to mitigate the risks.
6 | Beware of Security Dependencies
Security dependencies are one of the more sophisticated means of compromising Active Directory. Learn how to minimize and protect the security dependencies in your organization's environment.
7 | Monitoring
Collection is not the same as detection. Learn what to collect and how to analyze and respond to your collected data. Start making more informed decisions in response to security events.

Windows 10 - Remote Server Administration Tools for Windows 10

Remote Server Administration Tools for Windows 10 lets IT administrators manage Windows Server Technical Preview from a remote computer running the full release version of Windows 10.

Remote Server Administration Tools for Windows 10 includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell cmdlets and providers, and command-line tools for managing roles and features that run on Windows Server Technical Preview. 

Microsoft Download:

https://www.microsoft.com/en-us/download/details.aspx?id=45520

HyperV 2012 R2 - Veeam 9 B&R clustered host freezed issue and resolution

On two servers Windows 2012 R2 with Hyper V role installed, SAN and CSV we faced problems with Veeam 9 B&R that freezes single host where B&R was backing up active VM.

(more specifically public lan was unreachable unless hard reset) and only replication lan was working giving us this issue:

1. Host server with problems was reachable via RDP from working host using Replication lan ip/subnet.

2. Cluster was ok but VM that was backing up mode was locked.

3. We was not able to live migrate vm from one host to another or any other action. (shutdown, hard reset....)

Here they are action taken to solve issue other then temporary HyperV freezes hard reset.

Veeam B&R showed that there was missing on both hosts these Microsoft hotfixes (please be aware to take note about patch prerequisites before installation)

Host: XXXXXXX
KB3068444:  Resolves an issue where a cluster node experiences a Stop 0xF5 FLTMGR_FILE_SYSTEM when using Shared VHDX. Available for individual download. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2.
Description:  Resolves an issue where a cluster node experiences a Stop 0xF5 FLTMGR_FILE_SYSTEM when using Shared VHDX. Available for individual download. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2.

https://support.microsoft.com/en-us/kb/3068444

KB3068445:  Resolves an issue where a deadlock or Stop 0x9E occurs on a cluster node when there is a lot of network (SMB) I/O requests to large files (1 TB or more). Includes the fix from 3044457. Available for individual download. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2.
Description:  Resolves an issue where a deadlock or Stop 0x9E occurs on a cluster node when there is a lot of network (SMB) I/O requests to large files (1 TB or more). Includes the fix from 3044457. Available for individual download. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2.

https://support.microsoft.com/en-us/kb/3068445

KB3072380:  Resolves an issue on a Hyper-V cluster where the heartbeat component times out during a long-running snapshot. The snapshot fails and the VM restarts. Available for individual download. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2.
Description:  Resolves an issue on a Hyper-V cluster where the heartbeat component times out during a long-running snapshot. The snapshot fails and the VM restarts. Available for individual download. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2.
https://support.microsoft.com/en-us/kb/3072380

KB3090343:  Cluster service stops during the VSS backup in a Windows Server 2012 R2-based Hyper-V cluster.
Description:  Resolves an issue an issue that occurs when you use the Volume Shadow Copy Service (VSS) backup on a Cluster Shared Volumes (CSV) volume by using a software snapshot provider in Windows Server 2012 R2. 

https://support.microsoft.com/en-us/kb/3090343

Meanwhile we verified Firewall status and we verified that Following AV exclusions was working fine.

*.AVHD
*.AVHDX
*.ISO
*.VHD
*.VHDX
C:\ClusterStorage\Volume1\
C:\ProgramData\Microsoft\Windows\Hyper-V\
Vmms.exe
Vmwp.exe


After these actions problem was successfully solved.

Here there is another veeam article (that successfully apply to veeam 9.0 too after veeam support querying)

Tips - How to read file .p7m DigitalSign Reader

During these years it happened that often some end users had problems to read on their computer .p7m files.

For that purpose and considering that finding suitable free tool for me was not immediately straight I take note of software that worked fine for me.

DigitalSign Reader 5.0 

http://www.comped.it/it/prodotti/digitalsign-reader/digitalsign-reader-5-scaricalo-subito

I hope that this information could be useful for someone.

Windows 2000 - "c:windows\system32\config\" missing or corrupted


I had a problem on a very old Windows 2010 server and I got precedent error and no boot way was available:

"c:windows\system32\config\" missing or corrupted

I tried several procedures:

  1. Last configuratioin restore
  2. Windows recovery mode.
  3. Boot from Server CD and going on recovery console and running Chkdsk command

The only solution was to follow this microsoft article:

KB269075


I am focusing on more important commands used:


cd system32\config
ren system system.old
ren system.alt systemalt.old

To copy the default System hive, type the following command, and then press ENTER:

copy c:\winnt\repair\system c:\winnt\system32\config

To copy the System hive that was backed up the last time that you ran the Emergency Repair Disk Wizard, type the following command, and then press ENTER:

copy c:\winnt\repair\regback\system c:\winnt\system32\config

In my case there was c:\winnt\repair\system.bak file that I copied with this command:

copy c:\winnt\repair\system.bak c:\winnt\system32\config

Windows 7/8/10 - How to enable God Mode

Windows God mode is a simple folder that contain all Windows 7/8/10 Administration shortcuts in a single place.

To enable God mode you simple need to create a folder with this name:

God Mode .{ED7BA470-8E54-465E-825C-99712043E01C}

We will have a single folder with control panel and any other windows command.

<--------->


Il God Mode è sostanzialmente una cartella semplice che porta tutti gli aspetti di controllo di Windows 7/8/10 in un solo luogo. 
Racchiude infatti tutte le funzioni del Pannello di controllo, la personalizzazione dell’interfaccia, le opzioni di accessibilità e quasi ogni aspetto del controllo di Windows 7 .

God Mode è molto facile da attivare e basta semplicemente seguire questi due passi:


  • creare una nuova cartella, in qualunque posto preferiamo del nostro PC;
  • rinominiamo la cartella incollando questo nome, esattamente così come appare: GodMode.
  • God Mode .{ED7BA470-8E54-465E-825C-99712043E01C}

Ecco, adesso avremo in una sola cartella, con l’icona del Pannello di controllo, tutti i controlli sul nostro Windows 7/8/10.

Old article:

http://www.alessandromazzanti.com/2010/12/attivare-il-god-mode-in-windows-7.html

Exchange 2010 - How to monitor Exchange Health

There are several ways to monitor Exchange Server

In precedent article I mentioned powershell script for that purpose on Exchange 2013 server.

http://www.alessandromazzanti.com/2015/06/exchange-2013-how-to-monitor-it-with.html

1. you can at first remotely execute this commands

Test-Servicehealth
Test-ServiceHealth SERVERNAME
Test-ServiceHealth br-ex2010-mb | ft Role,RequiredServicesRunning -auto

Get-ExchangeServer | Test-ServiceHealth | ft Role,RequiredServicesRunning -auto

Get-MailboxDatabase 
Get-MailboxDatabase -Status | ft name,last* -auto

Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

(Get-DatabaseAvailabilityGroup) | ForEach {$_.Servers | ForEach {Get-MailboxDatabaseCopyStatus -Server $_}}

Test-MapiConnectivity - server SERVERNAME

Test-MailFlow between two databases/servers



2. Generate Health Report for an Exchange Server 2016/2013/2010 Environment



This PowerShell script performs a series of health checks on Exchange Server 2010 and 2013 Database Availability Groups and then outputs the results to screen or HTML email.



https://gallery.technet.microsoft.com/office/Generate-Health-Report-for-19f5fe5f

3. Here they are full Microsoft List scripts:

https://gallery.technet.microsoft.com/site/search?query=exchange%202010%20health%20check&f%5B2%5D.Value=exchange%202010%20health%20check&f%5B2%5D.Type=SearchText&f%5B0%5D.Value=Exchange&f%5B0%5D.Type=RootCategory&f%5B0%5D.Text=Exchange&f%5B1%5D.Value=Exchange2010&f%5B1%5D.Type=SubCategory&f%5B1%5D.Text=Exchange%202010&ac=5

4. Exchange 2010 Health Check

The purpose of this PowerShell script is to send a report on the health of various areas of the Microsoft Exchange 2010 environment.  This script should work with PowerShell 2.0 and later.This script is designed so that it can be run in an automated fashion from a Scheduled Task.

https://gallery.technet.microsoft.com/Exchange-2010-Health-Check-647cd668


<---------->

Consider that these scripts can be scheduled to monitor continuously

005

[update -1]

Test-ReplicationHealth servername

Get-ClientAccessServer | Test-MRSHealth | Fl check,Passed,Identity,IsValid
Get-ClientAccessServer | Test-MRSHealth

Interesting article:

http://www.computerperformance.co.uk/exchange2010/exchange_2010_powershell.htm

[update 2]

http://exchangeserverpro.com/powershell-script-exchange-server-health-check-report/

scheduled task syntax
-command 

"C:\_Script_Monitoring\Test-ExchangeServerHealth_1_0.ps1 -SendEmail -ReportMode -Log"

c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

My scheduled task settings for this script are:

•Run whether user is logged on or not

•Run with highest privileges

•Action: Start a program 

•Program: powershell.exe

•Arguments: 

-command “C:\Scripts\ExchangeServerHealth\Test-ExchangeServerHealth.ps1 -Log -SendEmail”

<-------->

You could be interested to these similar article too:

Exchange 201X- How get all users who have a forwarding email, redirect rule and delegate permission on them mailboxes or Outlook folders

Exchange 2013 - How to monitor it with powershell command

Exchange - Microsoft Exchange Server User Monitor

Exchange 2010 - Poster dell'architettura

Exchange 2010 - How to monitor Exchange Health

Exchange 2010 - How export to pst single mailbox or all mailboxes with single command or powershell command

Exchange 2013 - How to monitor it with powershell command

Exchange 2010 - How to get info on Mobile devices connected via ActiveSync, quarantine any new device and remote Wipe them.

Exchange 2003/2010 - Add a photo to user contact


Exchange - Your Administrator has made a change and requires you to restart Outlook

If you are facing this kind of problem on Exchange and outlook there are severar reason fo that.

 

1. At first you can download this tool and evaluate any Office 20XX client problems

Office Configuration Analyzer Tool (OffCAT) information

https://support.microsoft.com/en-us/kb/2812744

https://www.microsoft.com/en-us/download/details.aspx?id=36852


The problem arises when an Outlook client connects to the CAS array and initially, if outlook connects to the CAS array member that contains the PF role, then Outlook converges all connections and displays both the Public and Private logons as one single connection (the CAS array name). When the Clients IP address changes, and it Re-connects, if it gets connected to a CAS array member that does not have the PF server, then we get an ECwrong server Response from Exchange, Outlook in its reconnect logic Cannot follow the Redirection Result that contains the correct PF server name, and displays the Error "The Administrator has made a change that requires you restart Outlook"

2. Mitigations:

You have the option to completely suppress the dialog:


How to suppress the pop-up "The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook" in Outlook 2010

• Uncheck the option “Show Microsoft Exchange Messages” from the Outlook icon on taskbar, and test the behavior.


This setting is controlled by the registry value..

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Display Types\Balloons

Name: Exchange

Type: DWORD

Value: 1 (on) / 0 (off)

3. It could be related to Public folder problem

https://msexchange.me/2014/04/20/the-microsoft-exchange-administrator-has-made-a-change-that-requires-you-quit-and-restart-outlook/

https://exchangemaster.wordpress.com/tag/the-microsoft-exchange-administrator-has-made-a-change-that-requires-you-quit-and-restart-outlook/

https://msexchange.me/2014/04/20/the-microsoft-exchange-administrator-has-made-a-change-that-requires-you-quit-and-restart-outlook/

http://paulroman.pras.ro/2012/08/the-microsoft-exchange-administrator.html

4. If you put in standby your pc and outlook is not correctly closed autodiscover and pc wake un can give you that alert


[update 2016.05.18]

5. Here is an interesting article that explain ADSI edit check to view if Exchange DB references to wrong Public Folder DB

https://jaapwesselius.com/2014/08/05/the-microsoft-exchange-administrator-has-made-a-change/

[UPDATE 2016.05.30]

On a DAG Exchange 2010 configuration here is an interesting article that indicate public folder wrong configuration was the main problem, in my case was the correct answer.

On a Exchange server PF was correctly configured with replication, on the other one PF was not well configurated replication, once done that everythings worked better.

http://www.msexchangegeek.com/the-microsoft-exchange-administrator-has-made-a-change-that-requires-you-quit-and-restart-outlook/

Exchange - Console "The attempt to connect to http://yourserver/PowerShell using "Kerberos" authentication failed"

If you get this error with Exchange 2010 console:

The attempt to connect to http://exchange.contoso.com/powershell using 'Kerberos' authentication failed: Connecting to the remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos  authentication: The network path was not found.

The solution is to first export and then delete

- You must laungh regedit --> HKEY_CURRENT_USER\SOFTWARE\Microsoft\ExchangeServer\v14\AdminTools

- Look for value NodeStructureSetting.

- If it is there, back it up and then remove it.

Server - DCPromo out fails unable to determine the ownership of floating single-master operation roles.

We faced this error during dcdemote

DCPromo out fails with: The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

Following commad was correct:

netdom query fsmo

But on all dc there was old informations that pointed to old PDC DC that no longer exist:

dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=sevescorp,DC=com -attr fSMORoleOwner

output

CN=NTDS Settings\0ADEL:123412345-1234-1234-1234-123123123123,CN=XXXX-AD\0ADEL:123412345-1234-1234-1234-123123123123,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxxxxxx,DC=com

then we opened ADSIEdit.msc and connected to: 

CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int



and we changed these information to correct one:



You must execute this activities on schema master DC

Same procedure must be replicated on 

CN=NTDS Settings,CN=,CN=Servers,CN=,CN=Sites, CN=Configuration,DC=domain,DC=local

With ADSI edit using this article on point 3.:

http://www.more2know.nl/tag/fsmoroleowner/

To get correct string you need to view point 1. of precedent article and mainly going here:



Here is another useful article:

http://www.zerohoursleep.com/2011/07/dcpromo-out-fails-with-the-directory-service-is-missing-mandatory-configuration-information-and-is-unable-to-determine-the-ownership-of-floating-single-master-operation-roles/

we changed this information and thereafter they was correctely replicated and dcdemote was working fine

Scripting - How to refresh remote client ip

If you need to force remote pc to refresh ip Address you can use use this procedure.

1. Download psexec.

2. Save this cmd script in remote c: drive

@echo off
ipconfig /release && ipconfig /renew

3. Execute this command:

psexec \\remotepcnameorip -e -u domain\user -p password -h “c:\scriptname.cmd

720check