Category: security

Jun 17 2013

Powershell: Forensic One-liners

We will show in this post how you can gather evidence of a potential remote attack on your Windows computer with some Powershell one-liners. This is done by analyzing the security log with the Get-EventLog cmdlet and by displaying active remote connections with the Netstat command.
Read more »

Apr 23 2013

Powershell: Oracle, Exchange, secure string.

We will describe in this post how to connect to an Oracle database using Powershell cmdlets, this database hosts HR data. We will check if every employee has an Exchange 2010 mailbox. The common key between both systems (Oracle and Exchange) has to be a filterable attribute for performance issues when querying the Exchange mailboxes. Exchange’s attribute is CustomAttribute13 in our example and the corresponding Oracle value is HRCODE.
Read more »

Mar 15 2013

Processes security: EMET configuration, enabling DEP, ASLR…

In order to control what processes are running on your clients you can use the Software Restriction Policies or tools like Applocker or Bit9. You can also increase the security of you system on the allowed processes by enabling some mitigations like DEP, ASLR, SEHOP… We will describe in this post how to use EMET: A tool provided by Microsoft which allows you to configure these features. By protecting the processes running on your computer with these features you can even be protected against some 0-day exploits.
Read more »

Feb 12 2013

Domain controller hardening: NTDS grab.

Once hackers gain domain administrator privileges and are able to logon to domain controllers they usually try to dump the NTDS database (see chapter Dumping All The Hashes–ntdsgrab.rb). This way they will try to crack every single domain user’s password, this happened recently when the New York Times was targeted by a cyber-attack. We will see in this post how to make this task more difficult to a hacker who has gained domain admin privileges by modifying some security settings on the Domain controllers.
Read more »

Dec 10 2012

Pentesting an Active Directory infrastructure

We will see in this post some steps of a pentest against an ADDS domain. This pentest focuses only on the Microsoft System and does not take into account Antivirus, Firewall, IDS and IPS protections. The parts we describe in detail are scanning, exploitation and maintaining access. The pentest is performed with BackTrack 5 R3, you can download it here. The tools we use are Nmap, Nessus, Metasploit (the hacker’s framework, exploits are written in ruby), John the Ripper and Powershell. The pentest’s goal is to retrieve domain administrator credentials and maintain the access on the ADDS domain discretly.
Read more »

Oct 07 2012

Dcpromo: the system detected a possible attempt to compromise security

When demoting a domain controller the following error message appeared:

The operation failed because: Managing the network session with dc-srv2.ldap389.local failed.
“The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.”

Read more »

Aug 22 2012

Windows server 2012: PFX Certificates and SNI feature under IIS 8.0

Unless you’ve been living underground for the last few weeks, you should have already heard that Windows server 2012 RTM is available :-).  Last time I blogged about this operating system it was still named Windows server 8 Developer Preview. I will describe in this post how IIS 8 supports multiple SSL website certificates on a single IP and port, this feature is called Server Name Indication (SNI), and supported under Apache since version 2.2.12… I will also talk about the new features provided in Windows server 2012 for exporting/importing certificates in the PFX file format, in order to deploy certificates on a Webserver farm.
Read more »

Jan 04 2012

Powershell: Export firewall rules on your TMG servers

In order to manage TMG with powershell you need to use the FPC.root COM object. For more details you can read this article. The purpose of this script is to export for each TMG server the Firewall Policies in XML format:

Read more »

Dec 19 2011

OWA published with a TMG array member of a domain located in the DMZ

We will describe in this post how to set up Threat Management Gateway in a domain located in the perimeter network (DMZ) in order to publish your Outlook Web Access external URL and ensure a secure SSL connection. The OWA site is installed on the CAS servers of your Exchange infrastructure. The internal URL, registered in your private DNS, is being accessed by the computers in your internal network which are members of your domain. The external URL, registered in your public DNS, is being accessed by any computer connected to the internet, which obviously is not necessarily a member of your domain. To get both internal and external URL launch the following command on the Exchange Management Shell:

Get-OwaVirtualDirectory | ft server,InternalURL,externalURL

Read more »

Nov 04 2011

Powershell: Compare WSUS target groups

This script compares the updates approved between two WSUS target groups. It can ben useful when you want to get the differences between a test and a production group, you can read this Group Policy Central article to get more details on how to set up a WSUS test group using GPO (chapter Implement a WSUS Update Test Group of Computers).
Read more »

WordPress Themes

Blossom Icon Set

Software Top Blogs