Sysinternals – Permissions, LoggedOn, Endpoints

How to Get the permission on folders:
PowerShell:
Get-ChildItem | Get-ACL
Path | Owner | Access

or more in depth use:

GUI based : Run AccessEnum against the drive or folder – (SysInternals tool) and save to text file (Run as administrator or a specific user)

Who is logged on via the resource shares:
Launch cmd and run PSLoggedon (SysInternals tool)
Displays :
1) Users logged on locally
2) Users logged on via resource shares

List TCP and UDP Endpoints connected
Run TCPView application (SysInternals tool) and save to text file

Ever need to identify the before and after changes in Active Directory
Use : ADExplorer (SystInternals tool)

Download Sysinternals 
https://docs.microsoft.com/en-gb/sysinternals/downloads/sysinternals-suite

Suggested top 10 sysinternals tools
https://www.techrepublic.com/blog/10-things/10-sysinternals-tools-you-shouldnt-be-without/
See an advert of interest, CLICK IT!  This site is funded by AD clicks.

Client failed to RDP to RDS server following Windows Server Patching – CredSSP updates for CVE-2018-0886

CredSSP updates for CVE-2018-0886

That Monday morning issue when servers were patched on a Sunday… All Windows 10 clients fail to RDP to the RDS server following Windows Server Patching.

The cause?

“By default, after this update is installed, patched clients cannot communicate with unpatched servers. Use the interoperability matrix and group policy settings described in this article to enable an “allowed” configuration.”

https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Temp Solution until clients are patched

Create a registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters

CredSSP and Parameters keys had to be created
Create the AllowEncryptionOracle DWORD and give it a value of 2

or Command lined:

REG  ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

 

Tested on Windows 7 and Windows 10.
No reboot required.

Note this reduces the security the patch was put in to fix

See an advert of interest, CLICK IT!  This site is funded by AD clicks.

Check / Set / Sync Time Source for Windows Servers

To set the time ( Tested against Windows 2016)

Launch CMD as administrator
exampled c:\time 09:00:00 AM   – This will set the time to 9am

Note a time source if domain joined will up date the time clock again
Check the source
c:\w32tm /query /status Will show the time “Source”

To set an internet based NTP

c:\w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org
3.pool.ntp.org”

This will take effect after stopping and starting the W32Time service

Powershell….
stop-service w32time
start-service w32time

for settings to take effect

check status
c:\w32tm /query /status Will show the new time “Source”

To check sync is working
c:\w32tm /resync (Check the time sync)

 

See an advert of interest, click it, this site is funded by ad clicks.

Get-AdUser -Filter {Multiple Filters Complex } -Properties | Export to CSV

#Import AD modules

import-module servermanager
Add-WindowsFeature -Name “RSAT-AD-PowerShell” -IncludeAllSubFeature

#List AD user accounts and show DisplayName, Email, Title and export to CSV

Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title | select DisplayName, EmailAddress, Title | Export-CSV “C:\temp\Email_Addresses.csv”

#List AD user accounts and show DisplayName, Email, Title and export to CSV. Advanced filter to show ENABLED accounts only

Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | select DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | Export-CSV “C:\temp\Email_Addresses_allusers.csv”

#List AD user accounts and show DisplayName, Email, Title and export to CSV. Advanced filter to show ENABLED accounts only and email address ending @test.com

Get-ADUser -Filter {(Enabled -eq $true) -And (EmailAddress -Like “*@test.com”)} -Properties DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | select DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | Export-CSV “C:\temp\Email_Addresses_testdomain.csv”

Get a list of inactive computers which have not logged on to the domain in the last 12 weeks

# Inactive computers ( this will include systems not regularly used)

# Launch command prompt as administrator and run the following commands

Dsquery computer -inactive 12 -limit 500

# Lists computers inactive for over 12 weeks and returns a limit of 500 results

Dsquery computer -inactive 12 -limit 500 | dsmod computer -disabled

# Lists computers inactive for over 12 weeks and returns a limit of 500 results and disables the computer accounts

 

# Similar command can be done for users.

 

Get a list of active computers which have logged on to the domain in the last 7 days

# Trying to work out is servers, laptops or desktops have been decommissioned
# Try this script
# Get a list of active computers which have logged on to the domain in the last 7 days

$Date = (Get-Date).AddDays(-7)
Get-ADComputer -Filter {LastLogonDate -gt $Date} | Select distinguishedName

# https://social.technet.microsoft.com/Forums/windows/en-US/4d412730-5937-48c2-bf17-0dc9db013241/list-active-computers-in-ad?forum=winserverDS
# Credit to Richard Mueller – MVP Enterprise Mobility (Directory Services)

Hide Folders Under Share with Access Based Enumeration

So todays challenge. Hide visible folders under share to users who don’t have access.

Example

We create some new shares. Folders are then created under the share and NTFS permissions set.

Share Name : Shared Folder

Folder :

  • IT (NTFS Permissions – IT group Only)
  • HR (NTFS Permissions – HR group Only)
  • PAYROLE (NTFS Permissions – Payrole group Only)
  • ALL USERS (NTFS Permissions – HR Only)

I created a share. When logged in as a user, i could see all the folders under the shared folder.
As you would expect, I could only open the folders I had access to.

So, is this suitable? It doesnt let users in to folders they dont have access to, but it does tell them which folders are there.

So this is where “Access Based Enumeration” might come in. This feature hides folders from users that do not have permission to that folder.
Access based enumeration (ABE) came out in Windows Server 2008.

How to setup Access Based Enumeration:

  • Launch “SERVER MANAGER” (Server 2012 or Server 2016)
  • Click on “FILE AND STORAGE SERVICES”
  • Click on “SHARES”
  • Right click on each share you want to set ABE, select “PROPERTIES”
  • Click “SETTINGS”
  • Click “ENABLE ACCESS BASED ENUMERATION”

The next time a user logs in and views the share only users that have permissions to that folders under the share will be able to see them. The folders they dont have permission to will not appear.

—Always try things in a lab environment, always seek further information before implementing from the vendor i.e Microsoft.com —

OMS – Azure Automation

What is OMS? .
Is it.. System Center Online rebranded?
OMS is used to gather logs centrally and make decisions upon this information.

What can you do with Operations Management Suite (OMS)?
PaaS application which is running on Azure
Use it to manage on prem or azure based VMs

How do you create and OMS setup
Ideal concept, Log all the information to a storage account. OMS will trawl the logs to make use of the information. The default agent in a VM has the information to transfer to a storage account and passing it to OMS.

Grab solutions from a portal.

  • Check status of patches
  • Change management
  • Log queries
  • Identify weakness in the environment

How you access OMS
OMS workspace is accessed via a web browser to view the information.

OMS Pricing
OMS free version holds data for upto 7 days
OMS costs for per machine monitoring

Identify Weakness or Issues.
For example No End Point security on VMs might be flagged
A recommendation to install a 3rd party tool.
Example : Deep Security – Trend Micro. An Azure recommended product for end point protection appears on the list in the filtered market place

Azure and Containers

What is a container?
A container is a live and running copy of an image which may have been customised.
An image is a read only copy of an image before it was running as a container

How do you implement containers in Azure

Two options, containers we deploy ourselves and containers Microsoft manage
Container can be running on Windows 2016 or Linux OS
CPU and Ram assigned to each individual container

Containers Limited security risk?
Microsoft offers Hyper-V running containers for those concerned
Azure container covers this way.
Others offer shared application containers.

Notes around Docker?
A docker file is like a script to build the container which takes a source and makes an app on an image, which makes a container as its running.

Docker has other tools: Docker toolbox, Docker client and Kitematic (GUI client)

How to Install Docker for Windows

https://docs.docker.com/docker-for-windows/install/

Quick install guide :
1) Navigate to https://docs.docker.com/docker-for-windows/install/#download-docker-for-windows
2) 
On the Install Docker for Windows page, click Get Docker for Windows (Stable).
3) When prompted whether to run or save Docker for Windows Installer.exe, click Run.
4) Once the installation completed, click Close and log out.
<https://github.com/MicrosoftLearning/20533-ImplementingMicrosoftAzureInfrastructureSolutions/blob/master/Instructions/20533D_LAB_AK_07.md>

Note
When you make a mistake deploying a docker-machine .. Ie.. Forget to enter a region… But the machine builds and you enter an error state.
Start again by removing the docker-machine

Launch CMD as admin : docker-machine rm “machine name”

 

Kubernetes
Kubernetes a management tools to for Docker. An alternative Docker Swarm for large scale
Deploy Kubernetes cluster for Linux containers

From <https://docs.microsoft.com/en-us/azure/container-service/kubernetes/container-service-kubernetes-walkthrough>

https://docs.microsoft.com/en-us/azure/aks/intro-kubernetes

DCOS getting started with Kubernetes

https://kubernetes.io/docs/getting-started-guides/dcos/