Powershell

The Active Directory Tiered Admin Model is a way to organise AD users and groups with very clear boundaries between standard user accounts and their permission groups, server and application administrative accounts and groups, and domain wide access accounts and groups. Creating and enforcing these boundaries hinders privilege escallation from desktop/user level access to domain compromise. Here’s some automation to set it up.

“Create a picture in the style of a pixar movie of a friendly badger, working in an office IT department, using encryption to secure Microsoft Active Directory” - bing chat

This post describes how to keep user passwords transmitted in LDAP authentication requests safe. Lightweight Directory Access Protocol (LDAP) is an open standard for directories. It underpins Microsoft Active Directory Domain Services (ADDS). Applications need to check in with a central directory to authenticate user sign-ins. Other authentication protocols oAuth,SAML,Kerberos, even NTLM are prefered but still, even today, you’ll need to accomodate self-hosted business applicaitons that only support LDAP for authenticaiton. In my experience these are often JAVA developed apps or apps hosted on Linux. This post has some PowerShell generate encryption certificates (private and public keys) to enable SSL encrypted LDAPS communication with domain controllers.

This post has some KQL to report “who read the sensitive email and who opened the sensitive attachment” using Defender for Office365 and Defender for Endpoint.

Find all servers, with printer published to users in AD, by looking for printerqueue objects.

This post has some PowerShell to make Git client work on Windows in corporate environment. Short version Use the Microsoft Credential Manager for Git. Don’t expose passwords in plaintext in Git config or environment variable. The Microsoft Credential Manager will store creds for proxy amd git repo in Windows Credential Manager Git client doesn’t accept domain name in Git config, when you enter creds in Credential Manager change ID to <userID> format Automatically configurge Git client to authenticate with corporate proxy Git client doesn’t support Web Proxy Auto Discovery (WPAD).

My long running PowerShell scripts now have background musak thanks to: http://www.adminarsenal.com/admin-arsenal-blog/powershell-music-remotely https://www.youtube.com/watch?v=FsoIfkNQYEg http://youtube-mp3.org/ $scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent $musakFilePath="$scriptDir\musak.mp3" $wmplayer = New-Object System.Windows.Media.MediaPlayer $wmplayer.Open($musakFilePath) Start-Sleep 2 # This allows the $wmplayer time to load the audio file $duration = $wmplayer.NaturalDuration.TimeSpan.TotalSeconds $wmplayer.Play() $stopwatch=[system.diagnostics.stopwatch]::StartNew() while ($stopwatch.Elapsed.Seconds -lt $duration) { Write-Progress -Activity "Doing stuff, please hold…" -status "$($stopwatch.Elapsed.Seconds) seconds" -percentComplete ($stopwatch.Elapsed.Seconds / $duration*100) # do something # break when done start-Sleep -s 1 } $wmplayer.

I’ve done a couple of other posts on using AD credentials with AWS API. You setup AWS IAM to trust AD Federation Services (ADFS) for authentication. You get temporary access keys to use with the AWS API. This is safer than making lots of IAM accounts with long term passwords (Secret Access Keys) that end up embedded in code and stored who knows where. See previous posts for an overview of AD authentication to AWS.

Hey there Enterprise Administrator! Avoid storing AWS API keys by using Windows authentication instead[/caption] Are you an Enterprise investigating AWS? Don’t want to become a security news story like these guys? https://www.google.co.uk/search?q=news+aws+secret+access+key+hack Are you used to multiple levels of physical and logical security for access to your equipment? https://www.youtube.com/watch?v=_qc5TG2ulx8 Is access to your VPC config shielded by nothing but some AWS API credentials? (which are probably stored in plain text..) Can your AWS credentials be used from the public internet (instead of only from the Office)?

Some PowerShell to configure Nic Teaming on Windows Server 2012. Note: pick teaming mode and load balancing algorithm to suit your networking environment. The config below is for two NICs going to independent switches in active-passive mode (no LACP). Also note that the order Windows discovers and labels NICs may not match your hardware vendor’s labelling at the back of the server. # Check current state of NICs and do teaming if (get-netLbfoTeam) {write-host "Nic Team already exists"} else { write-host "Renaming NICs" #Rename Ethernet & Ethernet2 to Nic1 & Nic2 etc $nicIndex=1 get-netAdapter | ForEach-Object { $\_ | Rename-NetAdapter -NewName "Nic$nicIndex" ; $nicIndex++} #Create team for Nic1,2 write-host "Teaming Nic1 and Nic2" $team = new-netlbfoteam -name NicTeam -teammembers Nic1,Nic2 -TeamingMode **SwitchIndependent** -loadBalancingAlgorithm **TransportPorts** -Confirm:$false #Configure NIC2 as standby write-host "Configuring Nic2 as standby" Set-NetLbfoTeamMember -Name "Nic2" -AdministrativeMode Standby # loop until this NIC team is up while ($team.

You don’t need your machines talking to each other via NetBIOS over TCP/IP. Turn this off to cut down on network chatter and reduce your attack surface. The following PowerShell is useful as step during OS deployment (one-off config), or as a Group Policy startup script (every boot). # disable NetBIOS over TCP/IP on new adapter (legacy protocol not required) $NETBIOS_DISABLED=2 Get-WmiObject Win32_NetworkAdapterConfiguration -filter "ipenabled = 'true'" | ForEach-Object { $_.