Exploiting Unicode Character RTL ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

Exploiting Unicode Character ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)


This is one of the easiest exploits to implement in a Microsoft Windows systems. Yet, its impossible to meditate against. This exploit can be used for domain names as well. :- http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing



Obfuscating Executables



  • CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.
  • SexyAlexe.ppt – > SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\u202Etpp.exe
  • \xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe
  • \u202Ecod.yrammus_evituc\u202D2011.exe
  • \xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr
  • \u202Etpp.stohsnee\u202Dfunny.scr

Microsoft Partner Information

Microsoft Partner Information

OSD – Injecting the Windows 7 Kernel Mode Driver Framework (KMDF)

OSD – Injecting the Windows 7 Kernel Mode Driver Framework (KMDF)

  1. Download the Kernel-Mode Driver from http://www.microsoft.com/en-au/download/details.aspx?id=38423
  2. Open the MSU file with 7Zip software kmdf-1.11-Win-6.1-x64.msu and extract to a foldercalled Windows 7 KMDF 1.11
  3. Copy the contents to the OSD Folder location
  4. Identify location of the OSD WIM file
    1. Open ConfigMgr \ Software Library \ Operating Systems \ Operating System Images \ Select the Imaged and Open Properties \ Select Data Source and take note of image path
    2. \OSD\Operating System\Windows 7 Enterprise with Sp1 x64 – WIM only\install.wim
  5. Run Deployment and Imaging Tools Environment with Elevated Administrator Privileges – C:\Windows\system32\cmd.exe /k “C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\DandISetEnv.bat “
  6. DISM.exe /Get-WimInfo /WimFile:C:\test\images\myimage.wim /Index:1
  7. MD E:\Scratch Folder
  8. DISM.exe /Mount-Wim /WimFile:C:\test\images\myimage.wim /index:1
  9. DISM.exe /Image:C:\test\offline /Get-Packages
  10. Dism /image:C:\test\offline /Add-Package /PackagePath:C:\packages\package.cab
  11. dism /get-packages /image e:\scratch
  12. dism /unmount-Image /mountdir E:\Scratch /commit
  13. dism /unmount-wim /mountdir E:\Scratch \wimMount /discard

DISM.exe /Mount-Wim /WimFile:"E:\OSD\Operating System\Windows 7 Enterprise with Sp1 x64 – WIM only\install.wim" /index:1 /MountDir:E:\Scratch
DISM.exe /Image:E:\Scratch /Get-Packages
Dism /Image:E:\Scratch /Add-Package /PackagePath:"E:\OSD\Operating System\Windows 7 KMDF 1.11\Windows6.1-KB2685811-x64.cab"
DISM.exe /Image:E:\Scratch /Get-Packages

Package Identity : Package_for_KB2685811~31bf3856ad364e35~amd64~~
State : Install Pending
Release Type : Update
Install Time : 28-Nov-2014 5:10

dism /unmount-Image /mountdir:E:\Scratch /commit



Defending against CryptoLocker with Group Policy Software Restriction

Defending against CryptoLocker with CryptoLocker Group Policy Software Restriction

Latest variants of CrytoLocker can bypass Microsoft Endpoint Protection and latest Definitions.. :- https://www.staysmartonline.gov.au/alert_service/message?id=1145582&name=Fake+speeding+ticket+emails+distributing+ransomware#.VHaOwlAcQ-V

Please use the following Group Policy to stop its ability to execute from %AppData%:-

Computer Configuration\Policies\Windows Settings\Security Settings\Software Restrictions Policies\Additional Rules

*.SCR *.TMP are known virus extensions

  • %AppData%\*.exe Disallowed
  • %AppData%\*\*.exe Disallowed
  • %TEMP%\*.exe Disallowed
  • %TEMP%\*.\*.exe Disallowed
  • %TMP%\*.exe Disallowed
  • %TMP%\*.\*.exe Disallowed

2014-11-27 16_23_29-Group Policy Management Editor


** I would suggest block all files *.* or just selected executable file extensions:- http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/


.bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh,.htm


2014-12-19 16_53_21-Group Policy Management

More Locations to protect:

  • %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • %UserProfile%\Local Settings\Temp\7z*\*.exe
  • %UserProfile%\Local Settings\Temp\wz*\*.exe
  • %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • %LocalAppData%\Temp\Rar*\*.exe
  • %LocalAppData%\Temp\7z*\*.exe
  • %LocalAppData%\Temp\wz*\*.exe
  • %LocalAppData%\Temp\*.zip\*.exe

Registry lock down

I would suggest restricting these keys for users, but more testing is required

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Command to check: accesschk -w -s -q -u Interactive “C:\Windows”

2014-11-27 16_34_01-Command Prompt


If you do get hit:

  1. Shutdown the the affected workstation ASAP.
  2. Stop all File Shares
  3. Recover from the last known good backup. (We had VSS and NetApp) So only lost 4 hours of work
  4. Check Personal Storage Software like Dropbox, which got hit as well
  5. Upload the Virus File to https://www.virustotal.com/en/ or https://www.microsoft.com/security/portal/submission/submit.aspx (This way virus engines will create a definition and help others not to get infected)

Deep Investigation

I looked a bit closer how these virus actually get executed:

  1. First method is to update the ICON file which is a executable *.exe to a of a PDF icon. Users normaly can’t see file extensions and will double click it thinking its a PDF File
  2. “Unitrix” exploit by Avast Unicode character is U+202E: Right-to-Left Override
    1. http://www.voltage.com/blog/standards/a-clever-use-for-u202e/
    2. http://www.explainxkcd.com/wiki/index.php/1137:_RTL
    3. http://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/

 Other protection

  1. Edcuate Users
  2. Turn on Data Execution Prevention – System Properties / Advanced / Performance Options / Data Execution Prevention / Turn on DEP for essential Windows programs and services only
  3. User Access Control Settings – Always notify
  4. Internet Options / Security Settings – Local Intranet Zone
  5. Application Whitelisting
    1. https://technet.microsoft.com/en-us/library/bb457006.aspx
    2. https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

Educate Users

This kind of malware authors are releasing updates very quickly and changing significant characteristics of the malware families involved, evading anti-malware signatures. We see on a daily basis a lot of ransomware around 50 new sub-variants per day. The people who write this malware constantly make changes to the malware and test it against a large group of AV engines with the latest definitions to make sure it is not detected. Compare this with a website like www.virustotal.com only they have their own private environment. So it just like a race between the malware author with the AV software.

The use of public/private key cryptography makes it infeasible to discover/calculate the decryption key.
The malware encrypts files locally and on any mapped network drives expands the potential for damage.

Encrypted files are registered here : -HKEY_CURRENT_USER\Software\CryptoLocker\Files

Here is a latest blog from Microsoft Malware Protection Center for this kind of ransom. You can get some information about the common infection vectors.


Some others blogs;

  • Word OneNote Blog - http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
  • BGP Blog - http://blogs.technet.com/b/bgp/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
  • Excel Blog - http://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2013/09/07/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx

Emphasis the importance about educating the users, the attacker always try to infected the users by spam email and malicious website.

  1. On most of the infecting vectors, the attacker relies on social engineering to get you to run the program much the same way a con man gets your bank account details. Therefore the VERY FIRST line of defense to prevent this virus is DO NOT RUN ATTACHMENTS UNLESS YOU KNOW THEY ARE SAFE. You may also need to educate the users about the common attacking method the attacker use.
  2. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    Please also evaluate the write permission the share folder. Remove the unnecessary write permission.
  3. Always keep your patch levels up-to-date. Especially the Java, Adobe and IE. This may help to get rid of the attacker to use known vulnerabilities to infected the users. Simply visiting a compromised Web site can cause infection if certain vulnerabilities of the browser or the add-in are not patched.
  4. Filter the spam email on the email server. you can use some anti-spam software. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  5. We also need to back up our important documents regularly.

Offical Symantec MSS Alert


Symantec MSS Threat Landscape Update – Cryptowall 2.0


On October 15th, 2014, researchers from the Bleeping Computer forum released a blog article about a new variant of Cryptowall, a.k.a Cryptodefense. This malware is your traditional “ransomware” with some added features.


This new variant provides a unique bitcoin payment address to every infected user. Previously, all infected users paid into the same payment address, which meant that one infected user could redirect funds paid by another infected user.

Another new feature is the ability to securely delete the original files after they are encrypted. In the previous version, deleted files could be recovered using file recovery tools. Cryptowall 2.0 wipes the original files, making recovery impossible unless you pay the ransom or restore from backup.

All of Cryptowall’s ransom servers are located on the anonymous TOR network. Before, users had to install TOR on their systems in order to pay the ransom. This was a confusing process for the user, so the attackers moved to a web-to-TOR gateway which allows users to access TOR servers without having to install software. The old version of Cryptowall used a third party provider for this service, but once this was discovered it was blacklisted. The new version of TOR now uses its own web-to-TOR gateways, avoiding any blacklisting.

Cryptowall currently uses four web-to-TOR gateways as outlined by Bleeping Computer. They are the following:

  • Tor4pay[.]com
  • Pay2tor[.]com
  • Tor2pay[.]com
  • Pay4tor[.]com

This new variant is being distributed through phishing emails using the RIG Exploit kit.


For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

MSS SOC Analytics Detection

  • URL Analytics (WSM Signatures)

[MSS URL Detection] Possible Trojan.Cryptodefense(Cryptowall) C&C Traffic

Vendor Detection

  • Symantec AV




  • Symantec IPS

System Infected: Trojan.Cryptodefense Activity

Web Attack: Exploit Toolkit website 47

Web Attack: Malicious Executable Download 2

Web Attack: MSIE CVE-2013-2551 3

Web Attack: Rig Exploit Kit Website 5

Web Attack: Rig Exploit Kit Website 9

Web Attack: Rig Exploit Kit Website 4

Web Attack: Rig Exploit Kit Website 21

  • Snort/Emerging Threats (ET)

SID – 2809047 – ETPRO TROJAN Possible Cryptowall Infection in Windows Roaming Profile (DECRYPT_INSTRUCTION.URL ascii)

SID – 2018452 – ET TROJAN CryptoWall Check-in

SID – 2016809 – ET TROJAN Likely CryptoWall .onion Proxy DNS Lookup

SID – 2018610 – ET TROJAN Likely CryptoWall .onion Proxy Domain in SNI

SID – 2018397 – ET TROJAN Cryptodefense DNS Domain Lookup

  • Snort/Sourcefire

SID – 31450 – MALWARE-CNC Win.Trojan.CryptoWall Outbound Connection Attempt

SID – 31449 – MALWARE-CNC Win.Trojan.CryptoWall Downloader Attempt

SID – 32225 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31223 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31447 – BLACKLIST DNS Request for Known Malware Domain mediaocean[.]home[.]pl – Win.Trojan.CryptoWall

SID – 31448 – BLACKLIST DNS Request for Known Malware Domain nofbiatdominicana[.]com – Win.Trojan.CryptoWall

SID – 31369 – EXPLOIT-KIT Rig Exploit Kit Outbound Microsoft Silverlight Request

SID – 31455 – EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request

  • TippingPoint

HTTP: CryptoWall Communication Attempt

  • FireEye


This list represents a snapshot of current detection. As threats evolve, detection for those threats can and will evolve as well.



  • Rig Exploit Kit Used in Recent Website Compromise


  • Updated CryptoWall 2.0 ransomware released that makes it harder to recover files


  • Recovering Ransomlocked Files Using Built-In Windows Tools


  • CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ


Thank you for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal athttps://mss.symantec.com.

Global Client Services Team

Symantec Managed Security Services

MSS Portal: https://mss.symantec.com

MSS Blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-group

ADFS Certificate Renewal

ADFS Certificate Renewal

Certificate Re-key or Renewal Instructions

  1. Create a Certificate Singing Request – https://support.godaddy.com/help/article/4800/generating-iis-7-csrs-certificate-signing-requests
  2. When you receive the email confirmation you have 72 hours to install the new Certificate, otherwise the old certificate will be revoked.
  3. Import the Certificate into IIS – https://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7?locale=en
  4. Export the Certificate from IIS into .pfx format; to be used on other IIS servers
  5. Import the Certificates into Local Computer Intermediate CA and Personal
  6. For ADFS/CRM – Using Certificate Manager – Select the Certificate located in Personal and Select – Manage Private Keys and give NETWORK SERVICE and CRM APP rights to the Certificate. Check the Application pool to see what account CRM is running
  7. Do this on both CRM and ADFS Server
  8. http://support.microsoft.com/kb/2921805
  9. http://support2.microsoft.com/kb/2686840

Licensing Requirements for Disaster Recovery Data Center.

Licensing Requirements for Disaster Recovery Data Center.

Licensing Requirements for Disaster Recovery Data Center

Microsoft’s fail-over rights Product Use Rights (PUR) (for volume licensees and Enterprise Agreements)
This my understanding and yet to find any Microsoft Articles.

For any [Operating System Environment (OSE)] in which you use Running Instances of the server software, you may use up to the same number of passive fail-over Running Instances in a separate OSE on any Server for temporary support
COLD Data Center

You can build the machines with the, say Exchange. Switch it off.

You can periodically update it with data, although strictly speaking it is not supposed to be one way replicating all of the time. I think with the latest rules change, this is once every 90 days for data and testing…

Also under these rules, the systems needs to go back to the primary machines once the effected machines are restored, and these DR units turned off once more.
If they exist in an active – active state, yes.

DR Applications servers with SA in a cold state (Exchange, Sharepoint, SQL etc). No

DR OSE (Windows Servers OS). YES



Wp En Microsoft License DR



There is no entelimnet for DR, all licenses must be purchased

Hybrid Cloud and SDDC Conceptual Design

Hybrid Cloud  and SDDC Conceptual DesignWorkload Profiles

  • VDI
  • Database Applications
  • Responsive  Apps
  • General Purpose

Performance Matrix

(Identify where you workload range and design solutions)

  • Compute Low, Medium, High
  • Memory
  • IOPS
  • Storage
  • Networking

Workload Categories

(Networking should be 10 GB or 40 GB infiBand)

  • General Purpose
    • SSD Cache
    • SATA
  • Compute Optimised
    • Latest Intel
    • SSD
    • SAS
  • Memory Optimised – For large databases, SharePoint server farms, and high-throughput applications
    • MAX Memory
    • SSD
    • SAS
  • Storage Optimised
    • FlashIO
    • SSD
    • Large SAS
  • Dataware Warehouse / File Servers
    • Large SAS

Instances Types (Match Azure)


  • DMZ
  • PCI
  • WIBs
  • Server
  • Desktop
  • Management

Design Decision

  • 100% Microsoft Cloud, StoreSimple and SuperMicro Server Solutions
  • Hybrid Backup and DRaaS Veeam No SAN Solution
  • VMware vSphere 6
  • FileShares on Azure Steelhead
  • Cloud IaaS (Azure, AWS) are not mature enough for complex Enterprise Workloads and Networking
  • Build to move all workloads to cloud in 3-5 years (Azure or VMware Air)
  • Veeam DR Partner
  • Virtualise Firewall
    • Fortinet or Checkpoint ASA
  • BCP Site
  • Daily Backups
    • Veeam Backup Partner
    • Azure Stheelhead
  • Long Term 7 Year Retention
    • AWS Storage Gateway Announces Gateway-Virtual Tape Library (Gateway-VTL)
    • Microsoft Data Protection to Azure Backup
    • Steelhead Azure WAN Accelerators
  • Co-lo (Managed Firewall and Switch)
  • Use Megaport NaaS – http://www.megaport.com/ecosystem/connected-data-centres.html

Capacity uplifts Standard

What is required to maintain and monitor capacity and availability?


  • Windows VSS Enablement


  • NextDC / CloudPlus and Azure ExpressRoute for Veeam Backup and / DR
  • Equinix / Nexon and Azure ExpressRoute


  • Cloud repositories – use the new Veeam Cloud Connect functionality in v8 to get backups offsite easily and efficiently
  • Offsite replica VMs – maintain VM replicas in the cloud for quick recovery in the event of a disaste
  • Backup-as-a-Service (BaaS) powered by Veeam
    Offload backup to a Veeam Cloud Provider, and free up IT resources for more strategic business-building activities. You continue to run your VMs onsite, while your Veeam Cloud Provider provides backup to meet your RTOs and RPOs using the #1 VM Backup, Veeam Backup & Replication.
  • Disaster Recovery-as-a-Service (DRaaS) powered by Veeam
    Use a Veeam Cloud Provider to replicate your VMs to the cloud for fast recovery in the event of a disaster. You continue to backup VMs as you do today, while your Veeam Cloud Provider provides an added measure of protection by replicating VMs offsite.
  • Note: With BaaS and DRaaS, backup and replication are managed by the service provider (it’s not Veeam Backup & Replication delivered in a Software-as-a-Service, or SaaS model.)
  • http://www.veeam.com/find-a-veeam-cloud-provider.html

Right Sizing Information Gathering

  • VMware Capacity Planner or Microsoft Assessment and Planning Tool
  • NetAp nSanity AutoSupport Reports
  • Veeam One (VMware change)
  • Core Switch Performance Obsivrium
  • MAX/Averages (CPU, Networking, IOPS, Memory)
  • Tape Size
  • Backup Frequency and Sizes
  • RVTools

Compute, Networking and Memory Requirements

  • Storage Total Size 20 TB
  • CPU Mark Total
  • Memory Total
  • Backup Delta / Hot and Cold
  • Growth
  • CIFS Storage
  • Mail
  • SQL DBs
  • Core Switch Bandwidth (Business hours)
    • Average
    • Min/Max

Backup Retention Requirements

No-SAN Issues

  • Monolith VMs (Vertical Scale)
    • Large Memory Requirements
    • Large Storage Requirements
  • Clustering (All Ways On)
  • How to maintain capacity growth
  • Native CIFS/NFS
  • Separate DMZ ( need to use virtual networking)
    • http://www.cisco.com/c/en/us/products/security/asa-1000v-cloud-firewall/index.html
    • NSX


  • SeaMicro
  • VMWare RAIL – http://www.vmware.com/au/products/evorail
  • Nutanix
  • VMWare AIR
  • Veeam
  • HP Converged
  • HP VSA
  • AppVolumes
  • VMware vSAN
  • Azure Inmage

Certified Hyper-V Compute and 10 GB Converged Networking

VM Templates

  • Small 1 vCPU, 2 GB memory, 50-GB disk
  • Med 2 vCPU, 4 GB memory,100-GB disk
  • Large 4 vCPU, 8 GB memory, 200-GB disk

Sizing Tools

  • http://h71019.www7.hp.com/ActiveAnswers/us/en/sizers/hp-sizer-server-virtualization.html
  • http://www.cisco.com/c/en/us/solutions/data-center-virtualization/data_center_value_zone.html
  • http://virtualsansizing.vmware.com/
  • Data Center Cost
  • http://www.cisco.com/c/en/us/support/web/tools-catalog.html
  • http://www.joshodgers.com/vsphere-cluster-sizing-calculator/

NetApp Performance


1. Browse to the file share \\FILER_NAME\ETC$\log\autosupport
2. Locate the most recent folder with name YYMMDDHHMM.0 or .1
3. Ensure you have selected the most recent folder with a *.0 or .1 name.
4. Folder should have at least 150 files in it.
5. Package/zip the entire contents of this folder to provide to TD


1. Browse to the file share \\FILER_NAME\ETC$\log\stats\archive
2. Each *.gz file represents 1 hour of data
3. By default, collect 50 *.gz files (approximately 2 days) of recent activity that represents the typical workload on your filer. You can extend this to 100 files to assess a longer time period if desired.
4. Note: for ONTAP release 7.x browse to \\FILER_NAME\ETC$\stats\archive
5. Zip the Autosupport package with the performance stats package into a single compressed file and send to TD
6. Alternatively, you can forward an autosupport email

Cost Items

  • Azure Costs
    • VPN and Express Connect
    • Backup VM Storage
  • Co-Location
    • Switch
    • FC Switch
    • Internet Connections
  • Design Items
    • VMware
      • vSAN
      • DMZ (NSX/Checkpoint)

Critical Path

  • Costs Solution
  • Engage Microsoft Consulting Services to Validate Design
  • Acquire Rack Spaces and Servers/Equipment
  • Design IP and Networking Layer
  • Configure Routers and Layer 2 Bridge and ExpressRoute and MegaPort
  • Design VM, Server and Hybrid Solution
  • Test Components
  • Migrate Workloads to Equinix (Nexon) Production
  • Migrate Workloads to NextDC DC and setup UAT/DEV
  • Consolidate Workloads to Hyper-V
  • Integrate BackupExcu Tape Recovery


Migrate to Cloud

  • Cloud Security Policy (SANs Controls + SLA + Monitoring + Encryption + Access + DR + Restore)
  • Azure Backup
  • Extend Network to Azure Virtual Network
  • Azure VMs
  • Azure Site Recovery
  • Microsoft Migration Accelerator
  • Azure Network Extension
  • Application Dependency Mapping
  • SQL DB
  • File Server
  • Exchange DB
  • Sharepoint
  • Azure Web Sites
  • Responsive Web Servers (Full Solution)
  • Active Directory/2-Factor
  • Managed Firewall
  • Managed Switch
  • Visual Studio Online
  • Sharepoint
  • Load Balancer
  • Docker Apps Apps
  • Develop Cloud Security Policy

HowTo: Find and/or cleanup old computer accounts in AD

HowTo: Find and/or cleanup old computer accounts in AD


Dsquery is a command-line tool that is built into Windows Server 2008.
It is available if you have the Active Directory Domain Services (AD DS) server role installed.
To use dsquery, you must run the dsquery command from an elevated command prompt.
To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

To find inactive computer accounts (number is inactivity in weeks):
dsquery computer -inactive 2

To find computers with stale passwords (number is stale in days)
dsquery computer -stalepwd 45

There is also a combination to disable / delete the accounts:
combined with dsmod/dsrm

dsquery computer -inactive 4 | dsmod computer -disabled yes
dsquery computer -stalepwd 45 | dsrm computer

You can get additional info on both of these tools with dsquery computer /? ,dsmod computer /?, and dsrm computer /?


HowTo: Configure IE Proxy Settings via Group Policy

HowTo: Configure IE Proxy Settings via Group Policy

This might seem simple, but there was a few tricky issues doing this via GPO. There is already allot of information on this subject already and all of the back ground is here :-  How to apply “The content of IE Settings” in GPO (which used IEM (IE Maintenance) before IE10) to IE10+ Version since IEM have been deprecated from IE10 :- http://blogs.msdn.com/b/asiatech/archive/2014/05/12/how-to-apply-the-content-of-ie-settings-in-gpo-which-used-iem-ie-maintenance-before-ie10-to-ie10-version-since-iem-has-been-deprecated-begin-from-ie10.aspx

I will just document exactly how to configure this setting

  1. Setup  the correct IE Proxy Setting on a existing Workstations
    1. Use INETCPL.cpl
  2. Export the Settings for the following keys:
    1. reg query “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections” /v DefaultConnectionSettings
    2. ProxyServer
    3. ProxyOverride
    4. ProxyEnable
    5. DefaultConnectionSettings (This setting changes based on the other settings)
  3. Create a new Group Policy and create the following Registry keys and set to UPDATE
    1. User Configuration \ Preferences \ Windows Settings \ Registry
    2. Create each of the Registry keys as per Step 2

HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

2014-10-20 17_28_17-Tripwire SecureCheq

It does’t matter the size of your organisation or the compliance posture that it must adhere to. Every device on the network should be hardened and maintained.  I worked for one of the largest IT companies in the world and it was the only company that had proper Windows Operating System hardening and Security Compliance Management. I also worked for a very large bank and the Security Team numbering in the 50+ just didn’t understand how develop a proper basis line for Security Compliance and copy and pasted information from another IT Vendor! What I am trying to say is . They are different levels of Security Experts..

So here is a basic Overview of how to create a Secure Windows 2012 R2 SOE. This method can be applied to any support OS.
Firstly, understand your security posture requirements:- I have listed a few here : http://virtualizationandstorage.wordpress.com/2013/02/21/compliance-information/

It is also important to understand SAN Critical Controls and Defeating Kill Chains.

This course is also a good starting point -SEC505: Securing Windows with the Critical Security Controls:-  http://www.sans.org/course/securing-windows

Understand the Critical Security Controls – http://virtualizationandstorage.wordpress.com/2014/10/23/critical-security-controls-and-defeating-kill-chains/

Security Standards

These are the core Security Standards and vital information for Windows harderning

The above website and tools can be used to develop the require base line for your environments.. The Microsoft Security Compliance manager is the starting point for this process. You can use this software to understand all the settings and then export them into a Group Policy that can be used to harden the Operating System.  Once you have a policy setup, you need to maintain that posture  using Desired State management and Continuous Monitoring

Desired State

Security Scanners

Once you have the base policy using the above methods, You need to run a two types of scanners on your base OS.. The first is to use a Security Scanner against your OS and make adjust as required.. The other one I recommend is to run a tool to check and update all your software on the base OS image.. Key tool to use is Nessus which can be configured to scan and alert on items for PCI compliance,etc..

The follow three tools are required to create a sold secure SOE: These tools are NIST Security Content Automation Protocol (SCAP 1.2) Validation approved tools.

** you can not create a Secure hardened OS without a Security Scanner..

Implement OS Encryption

Implement Bootlocker


Install Microsoft Enhanced Mitigation Experience Toolkit https://technet.microsoft.com/en-us/security/jj653751

Here is a link to my own SOE settings – http://virtualizationandstorage.wordpress.com/2014/01/16/windows-2012-r2-soe/

BREAKING TYPICAL WINDOWS HARDENING IMPLEMENTATIONS – https://www.trustedsec.com/blog/breaking-typical-windows-hardening-implementations/