While hunting for some Hyper-V videos, I came across recorded sessions from the 4th Nordic Infrastructure Conference. No sales pitches, only some great talks from field hardened consultants. The sessions are focused on Enterprise Infrastructure (Microsoft Windows Server, System Centre, Azure, PowerShell DSC, Identity Management, Security/hacking).
Session Info http://2015.nicconf.com/sessions Recorded sessions: https://www.youtube.com/channel/UChu8zqu8d1mjWxNRLlGXUAw
I’ve done a couple of other posts on using AD credentials with AWS API. You setup AWS IAM to trust AD Federation Services (ADFS) for authentication. You get temporary access keys to use with the AWS API. This is safer than making lots of IAM accounts with long term passwords (Secret Access Keys) that end up embedded in code and stored who knows where. See previous posts for an overview of AD authentication to AWS.
Quick post about how to disable User Account Control for administrators on servers. Group Policy setting: Computer Configuration > Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate withouth prompting User Account Control: Detect application installations and prompt for elevation = Disabled User Account Control: Run all administrators in Admin Approval Mode = Disabled Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA=0
Query for Bitlocker recovery keys (properties of machines) and then getting the owner of key. Using the useful (and free) Quest ActiveRoles commandlets but you can do this with regular activedirectory powershell module too. add-pssnapin quest.activeroles.admanagement -ErrorAction Silentlycontinue $DesktopsOU= "OU=Win7,OU=Workstations,DC=companyname,DC=com" # or whatever your machine OU is Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer -SearchRoot $DesktopsOU | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {Split-Path -Path $_.ParentContainer -Leaf} | Select-Object -Unique The following page links to a script which will give you a CSV report http://blog.
Hey there Enterprise Administrator! Avoid storing AWS API keys by using Windows authentication instead[/caption]
Are you an Enterprise investigating AWS? Don’t want to become a security news story like these guys? https://www.google.co.uk/search?q=news+aws+secret+access+key+hack Are you used to multiple levels of physical and logical security for access to your equipment? https://www.youtube.com/watch?v=_qc5TG2ulx8 Is access to your VPC config shielded by nothing but some AWS API credentials? (which are probably stored in plain text..) Can your AWS credentials be used from the public internet (instead of only from the Office)?
When you get started with Amazon Web Services (AWS) one thing to do early is secure access to the web console. Rather than manage another set of user accounts you can reuse your corporate directory (Microsoft Active Directory) to login to the AWS console. You use AD Federation Services to do this. Also, if you keep your ADFS server internal, then your AWS console is not accessible from the public Internet.
Update to previous post on older BES version ( “Test intranet access from Blackberry and other mobile platforms”). For BES12 create a krb5.conf file and upload to the “Single-sign on” profile (obv. switch mycompany.com to your own FQDN. And specify the FQDNs for one or more domain controllers. This has been case sensitive in the past.)``` [libdefaults] default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des3-cbc-sha rc4-hmac default_realm = MYCOMPANY.COM [realms] MYCOMPANY.COM = { kdc = tcp/DC1.
Hide Select a location for the network When you deploy Windows 7 you get a prompt: “Select a location for the network”. Laptop users also see this when they connect to a new network or WIFI service. You must pick the local network type. This helps Windows firewall decide if the local network is trusted (Private) or untrusted (Public). Rather than leave this as a manual choice for PC deployment staff and laptop users, you can automate this.
You don’t need your machines talking to each other via NetBIOS over TCP/IP.
Turn this off to cut down on network chatter and reduce your attack surface. The following PowerShell is useful as step during OS deployment (one-off config), or as a Group Policy startup script (every boot). # disable NetBIOS over TCP/IP on new adapter (legacy protocol not required) $NETBIOS_DISABLED=2 Get-WmiObject Win32_NetworkAdapterConfiguration -filter "ipenabled = 'true'" | ForEach-Object { $_.
In the bad old days Windows would install in user friendly, super accessible mode. You’d then run scripts to lock it down, improving security permissions on registry keys, files and folders, reg tweaks, and potentially break stuff too. There were lots of security guides around. I’d use these NSA guides and tips from McGraw Hill’s Hacking Exposed. Now days Windows comes secure out of the box and you install roles before it’ll do anything.
