#SecureSenses --verbose

This solution is now officially distributed by Microsoft! "Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords." https://www.microsoft.com/en-us/download/details.aspx?id=46899 https://technet.microsoft.com/en-us/library/security/3062591.aspx

In this post I outline a step by step guide on implementing the solution. This post builds on the previous one. This is mostly a condensed version of the author’s documentation with addition of some items that either I found unclear or were not covered by the author.  In any case you should read the full documentation found here: http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/96116/1/Documentation.zip WARNING: The solution requires schema extension and this should never be taken lightly so do test properly and proceed at your own risk.  The steps described in this section can be carried out on a Domain Controller or a management workstation.  1. Install the CSE including the “Management Tools” This installs:  AdmPwd.ps PowerShell module  GPO templates (AdmPwd.admx and .adml)  Note: I tested this on a domain with a local GPO store. If you are using a Central Store you should check if the templates have been copied.  The fol

Jiri Formacek, a Microsoft Services consultant (based on his LinkedIn profile), has published an excellent local admin password management solution.  The solution uses Group Policy Client Side Extension (CSE) to set random and unique per computer local administrator password that is changed at a user controlled interval (30 days by default). The password is then stored in a confidential Active Directory (AD) attribute. Permission to retrieve the password is controlled using a security group. The solution is described in the documentation so I won’t be repeating what’s there. I’ll go over the main points and some stuff that’s not covered in the official documentation.  I recommend reading the documentation. The solution can be downloaded here: http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789 The documentation can be found here: http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/96116/1/Documentation.zip I

Local administrator password has always been a cause of a headache for security professionals. There hasn’t been a good and free way to manage the password on a large scale and most organizations ended up using the same password on all desktops or even servers. This introduces a number of vulnerabilities, such as: All IT Staff know the password The password is never changed The password inevitably becomes known to the users and various 3rd parties Machines are exposed to pass-the-hash attacks  If an attacker, a malware or an evil insider gains access to a single machine currently logged on under the local admin account they will be able to access all machines by executing a script or using built-in management tools. Moreover, compromise of a single machine will allow an attacker to grab a password hash and use it to access other computers. The local administrator password can be managed using Group Policy Preferences as detailed in the following article:  https://soc

By default, both downloaded CRLs and OCSP responses are cached by a Windows client. If a time-valid version of the CRL or OCSP response exists in the cache, the client will use the cached version rather than downloading an updated CRL or submitting a new OCSP request.  Caching related configuration is defined in the following registry hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\ CertDllCreateCertificateChainEngine\Config A binary value of:  ChainCacheResyncFiletime  defines when cache will be cleared.  Force the cache to be cleared: c:\> certutil –setreg chain\ChainCacheResyncFiletime @now Force the cache to clear in 1 hour: c:\> certutil –setreg chain\ChainCacheResyncFiletime @now+0:1 View current cache life time config: c:\>  certutil –getreg chain\ChainCacheResyncFiletime

Publish CRL to LDAP store: C:\> certutil -dspublish .\IssuingCA-DC1.crl serverName Validate certificate's Authority Information Access (AIA), Certificate Revocation List (CRL), Online Certificate Status Protocol (OCSP) status : C:\>certutil -URL certname.cer This command launches below UI that can be used to check the following: Note: the certificate in question is revoked Authority Information Access (AIA) - this extension specify location where CA certificates are located ( used for building certification path): CRL accessibility based on CRL Distribution Point (CDP) extension: Revocation status using OCSP: OCSP URL is specified in AIA extension: Download CRL (creates file "Blob0_1_0.crl" in working directory): C:\> certutil-split  -URL http://dc1.kp.local/pki/IssuingCA-DC1.crl View CRL publication related registry entries: C:\> certutil -getreg ca\CRLPublicationURLs Verify re

I've recently needed to add a security group to an ACLs of a number shared folders. The problem was that adding a group to the top level folder and propagating permissions down the folder tree would wipe existing permissions. After some time playing with ICACLS I have managed to put toghether a command that just did the trick. A bit of terminology first: ACE - Access Control Entry - is a single entry in an ACL, such as "GroupA - Read" ACL - Access Control List - is a collection of ACEs  Effectively the below command adds an ACE to an ACL.  I recommend reading the following article before proceeding: How Security Descriptors and Access Control Lists Work http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx Thiws KB article provides documentation for ICACLS: http://technet.microsoft.com/en-us/library/cc753525(v=ws.10).aspx Now the magic command:  icacls "f:\user" /grant builtin\Administrators:(OI)(CI)(F) /T /c The above co

Due to its ubiquitous install base Adobe Reader (AR) has historically been leveraged by malware to facilitate infections.  Sandboxing technology implemented in AR11 largely addresses the problem. The sandbox has however been bypassed using flaw in AR’s JavaScript engine.  AR has built in JavaScript engine that itself was the source of most security vulnerabilities in Adobe Reader. The JS is very rarely used in PDF documents and therefore it can be safely disabled. With the release of version 11, Adobe has published a Group Policy template that can be leveraged to mitigate most of the avenues that attackers use to exploit our systems.  The template files can be downloaded here: ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/misc/ReaderADMTemplate.zip They are provided in the standard GPO template format used since Windows 2008. There are two files: reader11.admx and reader11.adml. The files need to copied to different locations depending on whether you use loc

Removable storage is a very common malware infection vector. While Group Policy allows for fully disabling removable storage, this is not always possible due to usability requirements.  This post outlines what we can do in an Active Directory environment to mitigate this threat.  In most cases malware exploits some sort of autoplay feature in order to execute itself and infect a system. There are three interesting settings we can find in Group Policy that can help us mitigate this threat. They can be found under "Computer Configuration">"Administrative Templates">"Windows Components">"AutoPlay Policies" Above configuration disables all autoplay and autorun features, effectively preventing anything from being automatically run. Another interesting setting is found under "Computer Configuration">"Administrative Templates">"Windows Components">"Removable Storage Access"

Good old fashion "ds" commands, basic but always available and just do the job! While now days we have PowerShell, I still do come across Win 2003 boxes. DS commands in combination with FOR loops are quite powerful. How to query Active Directory for disabled computer accounts and move them to specified OU? for /f "Tokens=*" %s in ('dsquery computer -disabled -limit 0') do (DSMOVE %s -newparent "ou=Disabled_Computers,dc=securesenses,dc=net") How to move computers to a specified OU using list of hostnames? (hostnames must be listed on per line) for /f "Tokens=*" %i in (comps.txt) do dsquery computer -name %i | (dsmove -newparent "OU=DBServers,OU=Servers,dc=securesenses,dc=net") How to create security groups with  descriptions  listed in a text file? for /f "delims=, tokens=1,2" %i in (groups.txt) do dsadd group "CN=%i,OU=Groups,DC=securesenses,DC=net" -desc %j How to disable

WMIC is a command line interface to WMI (Windows Management Instrumentation). WMI is a powerful management interface that we can access from directly from command line.  WMIC can be used to manage remote computers.  If we want to execute WMIC commands on a single computer we prepend command with /node: as shown below: /node:hostname123   - specifies single server  ( wmic /node:hostname123 qfe where hotfixid="KB974571" list full) If we want to execute WMIC commands on multiple computers listed in c:\nodes.txt we prepend command with /node:@ as shown below: /node:@'c:\node.txt' - specifies text file with server names    ( wmic /node:@'c:\node.txt' qfe where hotfixid="KB974571" list full) It's worth keeping in mind that not all WMI classes have corresponding classes (called aliases) in WMIC. It is however possible to access WMI classes directly from WMIC: wmic /namespace:\\root\ NAMSPACE path CLASSNAME To directly acces