Archive for 'Uncategorized' Category

PXE protocol details

By Andrei Ungureanu - Last updated: Saturday, April 23, 2022

Just did a quick PXE troubleshooting this week and I thought to share some good PXE document that explains the logic built into the protocol: http://www.pix.net/software/pxeboot/archive/pxespec.pdf It’s really old stuff, but it still helps to get an insight into the protocol. Also some stuff from Broadcom was also very helpful: https://knowledge.broadcom.com/external/article/181525/using-a-wireshark-network-trace-to-troub.html PS: Be careful with […]

About NT SERVICE\ALL SERVICES group

By Andrei Ungureanu - Last updated: Thursday, March 31, 2022

So what is with this group? I saw it on fresh OS install, GPOs, some random forum discussion. But not a lot explained on the MS docs. There is something but it’s kind of useless and confusing: https://docs.microsoft.com/en-US/windows/security/identity-protection/access-control/security-identifiers It says S-1-5-80-0 All Services A group that includes all service processes configured on the system. Membership […]

More about on how Network Location Awareness Works

By Andrei Ungureanu - Last updated: Sunday, March 20, 2022

Because on some recent issues I had with NLA I’ve started to dig a bit on this subject and since there isn’t a lot of information about NLA available I though to share some of my findings: – For everyone having issues with Domain detection please apply this workaround – The domain profile isn’t set […]

Network Location Awareness (NLA) issues on Windows Server 2019

By Andrei Ungureanu - Last updated: Wednesday, March 16, 2022

Lately I have encountered an issue where NLA wrongly identifies the network location as Public instead of Domain. This triggers the Windows Firewall to use the Public profile and from here an avalanche of issues. What I have observed was that this happened on computers with a teamed network adapter that was also used to […]

SMB security stuff

By Andrei Ungureanu - Last updated: Monday, March 14, 2022

Just leaving here a couple of SMB security related stuff for anyone interested: How to Defend Users from Interception Attacks via SMB Client Defense Beyond the Edge: How to Secure SMB Traffic in Windows Always use SMB signing (and encryption if possible; on SMBv3 it’s better to use encryption). Do not be afraid to test […]

Best Active Directory Docs Collection

By Andrei Ungureanu - Last updated: Sunday, February 13, 2022

If you’re looking for Active Directory documentation here’s a concentrated shot: http://download.microsoft.com/download/2/2/C/22CBAF24-CDBD-46E8-BD90-909265EBECBA/MCSM_Directory_Reading_List_June_2013.docx

Time to return

By Andrei Ungureanu - Last updated: Friday, May 8, 2020

Cautand ceva prin vechile mele postari am realizat ca au trecut fix doi ani de cand nu am mai postat nimic. Si dupa tot ce am vazut in ultimii ani incep sa realizez din ce in ce mai mult ca lumea inca are nevoie de sysadmini. Asa ca o sa incep sa mai scriu din […]

SID Filtering and Well Known Groups over PIM Trust

By Andrei Ungureanu - Last updated: Friday, June 24, 2016

Looks like the update that allows the use of built in groups (Domain Admins, Administrators, etc) over the PIM trust has finally arrived: https://support.microsoft.com/en-us/kb/3155495 For those that don’t know, the well known accounts are always filtered over forest trusts. But in case you implement the new bastion forest model you’ll need that security feature disabled.

Temporary Group Membership in Windows Server 2016

By Andrei Ungureanu - Last updated: Saturday, April 16, 2016

Microsoft nu a uitat complet de Active Directory si in versiunea ce vine cu Windows Server 2016 sunt cateva imbunatatiri subtile. Oricum am fost obisnuiti ca pe partea de AD, schimbarile sa fie foarte subtile si greu de observat pentru adminul neexperimentat. Una din noutati se numeste Temporary Group Membership si vine cumva mai mult […]

Let’s Encrypt Free SSL certificates

By Andrei Ungureanu - Last updated: Wednesday, January 13, 2016

Am aflat cam tarziu de proiectul Let’s Encrypt www.letsencrypt.org si recunosc ca nu vad cu ochi buni acest proiect pentru moment. Cu toate ca permite oricui sa obtina un certificat ce va fi validat de majoritatea browserelor si automat securizarea traficului intre client si server, aduce o problema foarte mare in opinia mea. Si anume […]