Category: Uncategorized

Found this article and it will be helpful in the future.

How to integrate Power BI Report Server with Configuration Manager reporting

Recently I was on a quest to disable the Dropbox program from running on company owned (domain joined) machines. There were lots of hacks to make it work but finally I found a solution, although it was worded relatively cryptically, on Experts Exchange by a McKnife (http://tinyurl.com/gr3f9ar). Long story short you can use Software Restriction Policies (https://technet.microsoft.com/en-us/library/bb457006.aspx) to do this but his solution was more elegant as it blocked Dropbox programs based on the certificate used to sign them as opposed to the file path or things that might change often. This not only blocks the Dropbox program if it’s already installed but also prevents a user from installing it in the first place. Here is my expanded version of his instructions.

First download the Dropbox installer. Right click it and select Properties then go to Digital Signatures. Select the first one (SHA1) and click “Details”. Click “View Certificate” then the Details tab then “Copy to File…”. This lets you export out the certificate. Click Next then “Base-64 encoded X.509 (.CER)” and next again. Save the certificate as something like “Dropbox SHA1 Cert.CER”. Once that one is exported repeat the procedure for the SHA256 certificate.

Once you have both certificates open up Group Policy Management and if you already have a software restrictions policy edit it. If not I suggest you create a new one. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules. Right click and create a “New Certificate Rule”. Browse for the SHA cert and make sure the Security Level is set to Disallow. Give it a description such as “Dropbox SHA Certificate”. When you click OK, if you didn’t have any certificate rules before, it will prompt you to turn them on and display the “Enforcement Properties” page. At the bottom “Enforce certificate rules” then “OK”. Repeat for the SHA256 certificate.

Once GPO updates Dropbox will no longer start and executing the exe or installer directly will give you a nice error message.

Side note: Once this policy is in place you will also not be able to uninstall Dropbox since the same certificate is being used on the uninstall. Keep that in mind…you would have to disable enforcing certificates temporarily to get it uninstalled.

A decision that I have been seeing more and more recently is companies taking their entire infrastructure into the cloud.  Personally, I see this as a recipe for disaster!

Companies set up so that their entire infrastructure is cloud based but they only purchase a single cirquit to the net.  What happens if/when that cirquit fails?  I’ll tell you what!  You have an entire company that is sitting around playing solitaire because all their files are internet based.  The networking team is scrambling around because the network is down but there is not a whole lot that can be done if the link was cut by a backhoe operator who misread the plans about where he was supposed to start digging.  Don’t laugh, it happens.

My solution to this is using a hybrid configuration.  Have 1/3 or so of your processing power and the majority of your file servers on premise.  Use Onedrive or whatever your file storage solution of choice is strictly as a backup.  This way if you are down you can still work from the local storage and then backup to onedrive when the link is restored.

This is the ultimate guide to Windows audit and security policy settings.

In this guide, I will share my tips for audit policy settings, password and account policy settings, monitoring events, benchmarks and much more.

Table of contents:

• What is Windowing Auditing
• Use The Advanced Audit Policy Configuration
• Configure Audit Policy for Active Directory
• Configure Audit Policy for Workstations and Servers
• Configure Event Log Size and Retention Settings
• Recommended Password & Account Lockout Policy
• Recommended Audit Policy Settings
• Monitor These Events for Compromise
• Centralize Event Logs
• Audit Policy Benchmarks
• Planning Your Audit Policy

What is Windows Auditing?
A Windows audit policy defines what type of events you want to keep track of in a Windows environment. For example, when a user account gets locked out or a user enters a bad password these events will generate a log entry when auditing is turned on. An auditing policy is important for maintaining security, detecting security incidents and to meet compliance requirements.

Use the Advanced Audit Policy Configuration
When you look at the audit policies you will notice two sections, the basic audit policy, and the advanced audit policy. When possible you should only use the Advanced Audit Policy settings located under Security Settings\Advanced Audit Policy Configuration.

The advanced audit policy settings were introduced in Windows Server 2008, it expanded the audit policy settings from 9 to 53. The advanced policy settings allow you to define a more granular audit policy and log only the events you need. This is helpful because some auditing settings will generate a massive amount of logs.

Important: Don’t use both the basic audit policy settings and the advanced settings located under Security Settings\Advanced Audit Policy Configuration. Using both can cause issues and is not recommended.

Microsoft provides the following information.

The advanced audit policy has the following categories. Each category contains a set of policies.

• Account Logon
• Account Management
• Detailed Tracking
• DS Access
• Logon/Logoff
• Object Access
• Policy Change
• Privilege Use
• System
• Global Object Access Auditing

Resources:

Threats and Countermeasures Guide: Advanced Security Audit Policy

Configure Audit Policy for Active Directory (For all Domain Controllers)
By default, there is a bare minimum audit policy configured for Active Directory. You will need to modify the default domain controller policy or create a new one.

Follow these steps to enable an audit policy for Active Directory.

Step 1: Open the Group Policy Management Console
Step 2: Edit the Default Domain Controllers Policy
Right click the policy and select edit

Step 3: Browse to the Advanced Audit Policy Configuration
Now browse to the Advanced Audit Policy Configuration

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration

Step 4: Define Audit Settings
Now you just need to go through each audit policy category and define the events you want to audit. See the recommended audit policy section for the recommended settings.

Configure Audit Policy on Workstations and Servers
It is highly recommended that you enable an audit policy on all workstations and servers. Most incidents start at the client device, if you are not monitoring these systems you could be missing out on important information.

To configure an audit policy for workstations and servers you will need to create a new audit policy. This will be a separate audit policy from your domain controllers. I would not apply this policy to the root of the domain, it is best to have all your workstations and servers in a separate organization unit and apply the audit policy to this OU.

You can see below I have an organizational unit called ADPRO computers. This organizational unit contains sub OUs for department workstations and a server OU for all the servers. I will create a new audit policy on the ADPRO computers OU, this policy will target all devices in this folder.

Configure Event Log Size and Retention Settings
It is important to define the security event log size and retention settings. If these settings are not defined you may overwrite and lose important audit data.

Important: The logs generated on servers and workstations from the audit policy are intended for short term retention. To keep historical audit logs for weeks, months or years you will need to set up a centralized logging system. See the section below for recommendations.

In your audit policy, you can define the event log settings at Computer Configuration -> Policies -> Security Settings -> Event Log

Here are the recommended settings

Maximum application log size
4,194,240 (kilobytes)
Maximum Security log size
4,194,240 (kilobytes)
Maximum system log size
4,194,240 (kilobytes)
Even with the log settings configured you could still overwrite events in a short period of time. It all depends on your audit policy and how many users you have. If you are tracking bad password attempts for 2000 users that will generate way more events than 20 users.

Resource:

Recommended settings for event log sizes in Windows

Recommended Password and Account Lockout Policy
To successfully audit user accounts you need to ensure you have the password and account lockout policy configured. If you are auditing for account lockouts but don’t have a lockout threshold set you will never see those events.

These settings are from the MS Security baseline Windows 10 and Server 2016 document.

Password Policy
GPO location: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Enforce password history
24
Maximum password age
60
Minimum password age
1
Minimum password length
14
Password must meet complexity requirements
Enabled
Store passwords using reversible encryption
disabled
Account Lockout Policy
GPO location: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy

Account lockout duration
15
Account lockout threshold
10
Reset lockout counter after
15
Resource:

Microsoft Security compliance toolkit

Recommended Audit Policy Settings
These settings are from the MS Security baseline Windows 10 and Server 2016 document.

Recommended domain controller security and audit policy settings.

GPO Policy location: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration

Account Logon
Audit Credential Validation
Success and Failure
Audit Kerberos Authentication Services
Not configured
Audit Kerberos Service Ticket Operations
Not configured
Audit Other Account Logon Events
Not configured
Account Management
Audit Application Group Management
Not configured
Audit Computer Account Management
Success
Audit Distribution Group Management
Not configured
Audit Other Account Management Events
Success and Failure
Audit Security Group Management
Success and Failure
Audit User Account Management
Success and Failure
Detailed Tracking
Audit DPAPI Activity
Not configured
Audit Plug and Play Events
Success
Audit Process Creation
Success
Audit Process Termination
Not Configured
Audit RPC Events
Not Configured
Audit Token Right Adjected
Not Configured
DS Access
Audit Detailed Directory Service Replication
Not configured
Audit Directory Service Access
Success and Failure
Audit Directory Service Changes
Success and Failure
Audit Directory Service Replication
Not Configured
Logon/Logoff
Audit Account Lockout
Success and Failure
Audit User / Device Claims
Not configured
Audit Group Membership
Success
Audit IPsec Extended Mode
Not configured
Audit IPsec Main Mode
Not configured
Audit Logoff
Success
Audit Logon
Success and Failure
Audit Network Policy Server
Not configured
Audit Other Logon/Logoff Events
Not configured
Audit Special Logon
Success
Object Access
Audit Application Generated
Not configured
Audit Certification Services
Not configured
Audit Detailed File Share
Not configured
Audit File Share
Not configured
Audit File System
Not configured
Audit Filtering Platform Connection
Not configured
Audit Filtering Platform Packet Drop
Not configured
Audit Handle Manipulation
Not configured
Audit Kernal Object
Not configured
Audit Other Object Access Events
Not configured
Audit Registry
Not configured
Audit Removable Storage
Success and Failure
Audit SAM
Not configured
Audit Central Access Policy Staging
Not configured
Policy Change
Audit Audit Policy Change
Success and Failure
Audit Authentication Policy Change
Success
Audit Authorization Policy Change
Success
Audit Filtering Platform Policy Change
Not configured
Audit MPSSVC Rule-Level Policy Change
Not Configured
Audit Other Policy Change Events
Not configured
Privilege Use
Audit Non Sensitive Privilege Use
Not configured
Audit Other Privilege Use Events
Not configured
Audit Sensitive Privilege Use
Success and Failure
System
Audit IPsec Driver
Success and Failure
Audit Other System Events
Success and Failure
Audit Security State Change
Success
Audit Security System Extension
Success and Failure
Audit System Integrity
Success and Failure
Global Object Access Auditing
File System
Not configured
Registry
Not configured
I recommend you download the Microsoft Security compliance toolkit. It has an excel document with recommended security and audit settings for windows 10, member servers and domain controllers. In addition, the toolkit has additional documents and files to help you apply security and audit settings.

Centralize Windows Event Logs
When you enable a security and audit policy on all systems those event logs are stored locally on each system. When you need to investigate an incident or run audit reports you will need to go through each log individually on each computer. Another concern is what if a system crashes and you are unable to access the logs?

and… don’t forgot those local logs are intended for short term storage. In large environments, those local logs will be overwritten by new events in a short period of time.

Centralizing your logs will save you time, ensure logs are available and make it easier to report and troubleshoot security incidents. There are many tools out there that can centralize windows event logs.

Below is a list of free and premium tools that will centralize windows event logs. Some of the free tools require a bit of work and may require additional software to visualize and report on the logs. If you have the budget I recommend a premium tool, they are much easier to setup and saves you a ton of time.

SolarWinds Log Analyzer (Premium tool, 30-day FREE trial)
Windows Event Collector (Free, requires additional tools to visualize and report on data)
ManageEngine Audit Plus – (Premium tool)
Splunk – (Premuim tool, a popular tool for analyzing various log files)
Elastic Stack – (Free download)
SolarWinds Event Log Consolidator (Free Download)
Monitor These Events for Compromise
Here is a list of events you should be monitoring and reporting on.

Logon Failures – Event ID 4624, 4771
Successful logons – Event ID 4624
Failures due to bad passwords – Event ID 4625
User Account Locked out – Event ID 4740
User Account Unlocked – Event ID 4767
User changed password – Event ID 4723
User Added to Privileged Group – Event ID 4728, 4732, 4756
Member added to a group – Event ID 4728, 4732, 4756 , 4761, 4746, 4751
Member removed from group – Event ID 4729, 4733, 4757, 4762, 4747, 4752
Security log cleared – Event ID 1102
Computed Deleted – Event ID 4743
Audit Policy Benchmarks
How do you know for sure if your audit policy is getting applied to your systems? How does your audit policy compare to industry best practices? In this section, I’ll show you a few ways you can audit your own systems.

Using auditpol
auditpol is a built-in command that can set and get the audit policy on a system. To view the current audit run this command on your local computer

auditpol /get /category:*

You can check these settings against what is set in your group policy to verify everything is working.

Microsoft Security Toolkit
I mention this toolkit in the recommended settings section but it is worth mentioning again. It contains a spreadsheet with the Microsoft recommended audit and security policy settings. It also includes GPO settings, a script to install and GPO reports. It is a great reference for comparing how your audit policy stacks up against Microsoft’s recommendations.

CIS Benchmarks
CIS benchmarks have configuration guidelines for 140+ systems, including browser, operating systems, and applications.

CIS Benchmarks

CIS CAT Pro
CIS provides a tool that can automatically check your systems settings and how it compares to its benchmarks. This is by far the best method for testing your audit policy against industry benchmarks. The pro version does require a membership, there is a free version with limited features.

CIS-CAT Pro

Planning Your Audit Policy
Here are some tips for an effective audit policy deployment.

Identify your Windows audit goals
Don’t just go and enable all the auditing settings, understand your organization’s overall security goals. Enabling all the auditing rules can generate lots of noise and could make your security efforts more difficult than it should be.

Know your Network Environment
Knowing your network, Active Directory architecture, OU design and security groups are fundamental to a good audit policy. Deploying an audit policy to specific users or assets will be challenging if you do not understand your environment or have a poor logical grouping of your resources.

Group Policy
It is best to deploy your audit policy with group policy. Group policy gives you a centralized location to manage and deploy your audit settings to users and assets within the domain.

How will you obtain event data
You will need to decide how will event data be reviewed.

Will the data be kept on local computers
Will the logs be collected on each system and put into a centralized logging system?
Resources:

Planning and deploying advanced security audit policies

Normally the PDC FSMO at the forest root domain will synchronize from an external time server. All other domain controllers and domain members should synchronize from the domain hierarchy. To configure this on every machine (except the forest root PDC FSMO):

Open an elevated command prompt
Run commands:
w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync /nowait
net stop w32time
net start w32time
If this does not work try again but this time for the resync command add /rediscover.

You can check the time source and state using:

w32tm /query /source
w32tm /monitor

The second-lowest layer (layer 2) in the OSI Reference Model stack is the data link layer, often abbreviated “DLL” (though that abbreviation has other meanings as well in the computer world). The data link layer, also sometimes just called the link layer, is where many wired and wireless local area networking (LAN) technologies primarily function. For example, Ethernet, Token Ring, FDDI and 802.11 (“wireless Ethernet” or “Wi-Fi’) are all sometimes called “data link layer technologies”. The set of devices connected at the data link layer is what is commonly considered a simple “network as opposed to Internetwork

Data Link Layer Sublayers: Logical Link Control (LLC) and Media Access Control (MAC)The data link layer is often conceptually divided into two sublayers: logical link control (LLC) and media access control (MAC). This split is based on the architecture used in the IEEE 802 Project, which is the IEEE working group responsible for creating the standards that define many networking technologies (including all of the ones I mentioned above except FDDI). By separating LLC and MAC functions, interoperability of different network technologies is made easier, as explained in our earlier discussion of networking model concepts.

The following are the key tasks performed at the data link layer:

The layers of the OSI model

Moving down through the layers

Other interesting OSI layer stuff

Packaging the data

I have been running into issues on my home lab when it comes to load balancing. Apparently with the release of the VSphere 5.1 there is a new feature that allows you to migrate running images between hosts without shutting them down first.

The requirements are as follows

Requirements and Limitations for vMotion Without Shared Storage

A virtual machine and its host must meet resource and configuration requirements for the virtual machine files and disks to be migrated with vMotion in the absence of shared storage.

vMotion in an environment without shared storage is subject to the following requirements and limitations:

Migration with vMotion in Environments Without Shared Storage

You can use vMotion to migrate virtual machines to a different host and datastore simultaneously. In addition, unlike Storage vMotion, which requires a single host to have access to both the source and destination datastore, you can migrate virtual machines across storage accessibility boundaries.

In vSphere 5.1 and later, vMotion does not require environments with shared storage. This is useful for performing cross-cluster migrations, when the target cluster machines might not have access to the source cluster’s storage. Processes that are working on the virtual machine continue to run during the migration with vMotion.

You can place the virtual machine and all of its disks in a single location or select separate locations for the virtual machine configuration file and each virtual disk. In addition, you can change virtual disks from thick-provisioned to thin-provisioned or from thin-provisioned to thick-provisioned. For virtual compatibility mode RDMs, you can migrate the mapping file or convert from RDM to VMDK.

vMotion without shared storage is useful for virtual infrastructure administration tasks similar to vMotion with shared storage or Storage vMotion tasks.

Migrate a Virtual Machine to a New Host and Datastore by Using vMotion in the vSphere Web Client

You can move a virtual machine to another host and move its disks or virtual machine folder to another datastore. With vMotion, you can migrate a virtual machine and its disks and files while the virtual machine is powered on.

You can perform vMotion in environments without shared storage. Virtual machine disks or contents of the virtual machine folder are transferred over the vMotion network to reach the destination host and datastores.

To make disk format changes and preserve them, you must select a different datastore for the virtual machine files and disks. You cannot preserve disk format changes if you select the same datastore on which the virtual machine currently resides.

Prerequisites

Procedure

vCenter Server moves the virtual machine to the new host and storage location. Event messages appear in the Events tab. The data that appears in the Summary tab shows the status and state throughout the migration. If errors occur during migration, the virtual machines revert to their original states and locations.