Powershell on Linux

By Andrei Ungureanu - Last updated: Friday, August 19, 2016

Powershell pe Linux clar va schimba multe iar MS va fi vazut in cu totul alta lumina.

https://azure.microsoft.com/en-us/blog/powershell-is-open-sourced-and-is-available-on-linux/

PS: de fapt portarea .Net pe Linux este baza si de aici vor urma multe altele.

Filed in Anunturi • Tags: ,

Extrasphere tools

By Andrei Ungureanu - Last updated: Thursday, August 11, 2016

Tocmai am dat peste un tool ce pare interesant si ce permite storage migration pe ESXi fara vCenter.

image

Tool-ul l-am descoperit citind despre el pe un site de renume in virtualizare (vladan.fr) dar chiar si asa ceva imi pare dubios. Odata ca dupa ce a fost anuntat prima data pe vladan.fr s-a descoperit ca avea un troian in el; doi, e facut cu Unity (cine naiba face asa ceva in Unity);trei, e scris de niste rusi ce la contact au o adresa de mail pe gmail.

Si exista varianta pentru Windows, Android si MacOS.

Daca totusi aveti curaj: http://www.extrasphere.ru/#!download/c1df1

Filed in Diverse • Tags: ,

How to restore deleted user accounts and their group memberships in Active Directory – Pre W2K8 version

By Andrei Ungureanu - Last updated: Tuesday, July 26, 2016

Am dat de foarte multe scenarii unde s-au facut modificari “accidentale” si toata lumea credea ca acel AD Recycle Bin o sa ii ajute. Pai daca nu a fost activat, atunci nu are cum sa te ajute.

In cazul asta tot variantele folosite in trecut trebuiesc folosite:

https://support.microsoft.com/en-us/kb/840001

A trecut atat de mult timp de cand nu am mai facut un Authoritative Restore incat acum mi se pare ceva super complicat.

Asa ca activati Recycle Bin si uitati complet de procedurile astea.

PS: iar daca nu aveti backup, se poate si cu object reanimation – https://blogs.technet.microsoft.com/asiasupp/2006/12/14/using-adrestore-tool-to-restore-deleted-objects/

Filed in Active Directory • Tags: ,

SID Filtering and Well Known Groups over PIM Trust

By Andrei Ungureanu - Last updated: Friday, June 24, 2016

Looks like the update that allows the use of built in groups (Domain Admins, Administrators, etc) over the PIM trust has finally arrived:

https://support.microsoft.com/en-us/kb/3155495

For those that don’t know, the well known accounts are always filtered over forest trusts. But in case you implement the new bastion forest model you’ll need that security feature disabled.

Filed in Uncategorized

Plantronics headsets on Windows

By Andrei Ungureanu - Last updated: Thursday, June 23, 2016

De ceva timp am un headset Plantronics pe care il folosesc impreuna cu telefonul mobil. La un moment dat am vrut sa il folosec si cu aplicatiile de pe laptop insa nu am reusit datorita lipsei driverelor.

Dupa ceva investigatii am descoperit ca instalarea este totusi posibila si pe Windows folosind driverele de la Broadcom:

https://www.broadcom.com/support/bluetooth

Filed in Hardware Corner • Tags: ,

vCenter Server 6.0 – Skip Install Prerequisites

By Andrei Ungureanu - Last updated: Tuesday, June 21, 2016

VCenter Server 6.0 are niste cerinte hardware destul de mari asa ca daca incerci sa il instalezi pentru un simplu laborator si ai anumite limite hardware o sa ai o problema. Sa aloci 8Gb de RAM doar ca sa instalezi vCenterul mi se pare o monstruozitate.

Totusi, undeva ascuns se afla un parametru care face ca installerul sa treaca mai departe chiar daca nu sunt indeplinite cerintele hardware.

Parametrul se numeste SKIP_HARDWARE_CHECKS si va trebui sa lansati setup-ul din linie de comanda in felul urmator:

VMware-vCenter-Server.exe “SKIP_HARDWARE_CHECKS=1”

Filed in Virtualization • Tags: ,

MS16-071 – Patch Now

By Andrei Ungureanu - Last updated: Tuesday, June 21, 2016

A trecut o saptamana de cand a fost publicat security bulletinul pe luna Iunie si vad ca lumea nu se grabeste instaleze nimic.

Dar MS16-071 e motivul pentru care trebuie sa urgentati update-ul pe server. Este remote exploitable, foloseste un protocol ce este foarte usor permis prin firewall-uri, iar serviciul afectat ruleaza in multe cazuri pe domain controllere. Deci exista toate sansele ca cineva sa te faca sah mat fara ca tu sa apuci sa iti dai seama.

Sapatamana trecuta nu exista nici un semn ca ar exista un exploit code deja functional. Dar cum vulnerabilitatea a fost expusa in privat direct catre Microsoft, probabil ca o sa mai dureze ceva timp pana o sa existe ceva pentru publicul larg. Dar asta nu inseamna ca nu exista parti ce stiu cum sa exploateze aceasta vulnerabilitate.

 

Windows DNS Server Use After Free Vulnerability – CVE-2016-3227

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server. The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

Filed in Active Directory, Security • Tags: , ,

Microsoft Security Intelligence Report

By Andrei Ungureanu - Last updated: Friday, May 6, 2016

Nu m-am mai uitat pe SIR de foarte mult timp, dar ultimele editii sunt super interesante si trebuie sa imi fac timp sa le citesc.

image

https://www.microsoft.com/security/sir/default.aspx

Filed in Security • Tags:

Privileged Access Management in Windows 2016 Active Directory

By Andrei Ungureanu - Last updated: Tuesday, May 3, 2016

So this PAM (Privileged Access Management) stuff is something I thought I need to write it in English since there is not so much information about it. This feature is something that Microsoft is making a big fuss on how to use it with MIM (Microsoft Identity Manager) but not on how to leverage at least part of it if you don’t have MIM.

Some info on this new technology is here:

https://technet.microsoft.com/en-us/library/dn903243.aspx

And from this link let’s look a little bit at the problems PAM is trying to solve:

A real concern for enterprises today is the uncertainty regarding resource access within an Active Directory environment. Particularly troubling is news about vulnerabilities, unauthorized privilege escalations, and other types of unauthorized access, including pass-the-hash, pass-the-ticket, spear phishing, and Kerberos compromises. All of these attack capabilities are a concern for enterprises.

Could their Active Directory environment already be compromised? If not, how long can it take an attacker to find and then compromise a Domain Admins account? After attackers achieve such access, what can stop them? How long can they lurk on the network with that access? How long can the environment be at risk before the compromise is detected? Attackers can leave backdoors (create a way that allows them to get back in but not using the normal procedures), perform data exfiltration, and carry out other exploits.

The goal of PAM is to change the timeframes in which these vulnerabilities can be exploited. Today, it’s too easy for attackers to obtain Domain Admins account credentials, and it’s too hard to discover these attacks after the fact. Along with other investments, PAM will make it harder for attackers to penetrate a network and obtain privileged account access. PAM adds protection to privileged groups that control access across a range of domain-joined computers and applications on those computers. It also adds more monitoring, more visibility, and more fine-grained controls so that organizations can see who their privileged administrators are, and what are they doing. PAM gives organizations more insight into how such administrative accounts are used in the environment.

So … here’s a quick look on how this new PAM is going to work:

– a new Active Directory forest will be created

– all privileged accounts will be created in the new forest (let’s call it a bastion Active Directory forest)

– the old production forest doesn’t require any upgrade (for now)

– a new type of trust will be created between these two forests (PIM Trust)

– shadow groups (a new type of objects available in WS 2016) will be created in the bastion forests

– each time an admin will need to execute his/her work, the account in the bastion forest will be used (and that account will have access in the production forest, without being a member of any privileged groups)

The following picture will give some more insight of the workflow:

image

And let’s get started. We have the new bastion forest. We have the trust set between these two forests and we’ll need to enable one more thing over this trust. Using NETDOM with the /ENABLEPIMTRUST option:

image

Note:My production forest is called WINDEV.NET and my bastion forest is called WINADM.NET (sorry if this is confusing, but initially I had these set for another purpose).

In the bastion forest, if we look in Active Directory Sites and Services console, we can see a new container called Shadow Principal Configuration and if we right click on it we have the option to create some new objects.

image

What we are interested in is the msDS-ShadowPrincipal (we can create these type of objects in some other parts of AD using Active Directory Users and Computers but for the scenario I am trying to show right now it doesn’t seem to produce the desired results; so let’s create this using Sites and Services).

The new object will need a name. The object will be a shadow of an existing object from the production forest. And I am trying to shadow the Server Admins group.

 

image

Find out the SID of the production group (get-adgroup should be simple enough – in the production forest).

image

Just two steps and we have the shadow created.

image

Let’s inspect the attributes of the new object:

image

image

Now let’s add members to this shadow group. The members need to be accounts from the same forest as the shadow group (the bastion forest). So, my admins we’ll get new accounts that we’ll be regular accounts in the bastion forest, but through the shadow group they’ll be able to get privileges in the production forest.

And I have such an account that I will use for this:

image

After this, the shadow group membership can be seen through the regular Active Directory Users and Computers console:

image

And now the test. I am logging on using the my “admin” account created in the bastion forest (WINADM), on a computer from the production forest (WINDEV).

Running whoami /groups will show me that in my token, I have the SID of my Server Admins group from the production forest (WINDEV).

image

Combine these with time limited group membership and you will make a big change in your Active Directory security. Please note that for now this is beta software. Do not use it in production environments.

For now I am still waiting for the official product documentation …

Filed in Active Directory • Tags: , , ,

Windows Server 2016 TP5

By Andrei Ungureanu - Last updated: Thursday, April 28, 2016

Tocmai ce s-a lansat WS2016 TP5, probabil ultimul technical preview inainte de RTM. Poate fi downloadat de aici:

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Documentatia e cam subtire in acest moment. Tot ce am putut gasi este in link-ul de mai jos:

https://technet.microsoft.com/en-us/library/dn765472(v=ws.12).aspx

Filed in Windows Server • Tags: