Security in the Enterprise on Microsoft Virtual Academy (MVA) course

There is a new course on Microsoft Virtual Academy (MVA) to talk about security. Security in the Enterprise is hold by Simon May, Infrastructure Technical Evangelist, and Erdal Ozkaya, Microsoft MVP in Windows IT Pro. It a entry level MVA course to let you understand the concept and get some tips to protect your enterprise. It's worth watching it.

This posting is provided “AS IS” with no warranties, and confers no rights!

Add public certificates by certutil

There are many way to add public certificates to Trusted Root Certification Authorities or Intermediate Certification Authorities like PowerShell, Group Policy, VBscript or so on. This time, I'd like to use the old tool, certutil. certutil is a build-in tool of Windows after Windows Vista or later. To use certutil on Windows Server 2003, we need to install admin pack or just copy certadm.dll and certutil.exe to Windows Server 2003 computers.

Why do we use certutil to add public certificates to computers?

1. The computers don't support PowerShell to import certificates (Import-Certificate cmdlet).

2. The computers aren't joined to the domain.

3. To use VBscript, we need to register CAPICOM.dll to destination computers before performing the VBscript.

4. Prevent human mistake to add public certificate to the wrong store.

How to import public certificates by certutil?

Then, we can perform certutil -f -addsotre <Store Name> <Public certificate location> on Command Prompt to add the public certificate to the certificate store of the computer.

certutil -f -addstore root C:\RootCA.cert to add the public certificate to Trusted Root Certification Authorities

certutil -f -addstore CA C:\InterCA.cert to add the public certificate to Intermediate Certification Authorities

This posting is provided “AS IS” with no warranties, and confers no rights!

Check the credential of mapped network drive by WMI

Assuming that you'd like to know the user name of mapped network drive. The easy way to find the user name by performing wmic on Command Prompt or PowerShell.

wmic netuse where localname="<Drive letter name>" get UserName /value

You don't need to provide administrator's credential to perform this command.

To check the user name by PowerShell, we can perform the following cmdlets.

Get-WmiObject -Class Win32_NetworkConnection | Select UserName

For PowerShell 3.0 or later, we can perform Get-CimInstance -ClassName Win32_NetworkConnection | Select UserName

By the way, there is a useful tool named WMI Explorer. It's easy for us to find the WMI class.

This posting is provided “AS IS” with no warranties, and confers no rights!

Have you used Autoruns, Process Explorer, Process Monitor and so on for troubleshooting Windows environment

Yesterday, I helped one of my friends to figure out which program blocked to copy file to a USB drive on Windows 7. First of all, I downloaded some Sysinternals Tools like Process Explorer, Process Monitor and Autoruns on his computer. Sysinternals Tools were developed by Mark Russinovich and Bryce Cogswell. Microsoft acquired this and it assets on 18-Jul-2006. 

Then, I tried to use these tools to find out which program blocked the action.

Process Explorer, I can find out all running processes on the computer.

I tried to find out all processes under "csrss.exe" and close some processes but I couldn't have any idea which process is blocked to copy files to a USB drive.

After that, I used Process Monitor to capture all actions which I copy a file to a USB drive.

I also didn't have any idea about blocking to copy file to a USB drive when the Windows start up.

Then, I used Autoruns to check the dll name which is published by other companies.

I un-checked that dll and then restart the computer. Eventually, files can be copied to the USB drive.

As a result, I found that the service is run by svchost.exe through Autoruns with "Jump to Entry" option.

Except Autoruns, Process Explorer and Process Monitor, there are many useful Sysinternals tools for troubleshooting.

For more information:
Sysinternals

TWC | Malware Hunting with Mark Russinovich and the Sysinternals Tools

Sysinternals -- Channel 9 

This posting is provided “AS IS” with no warranties, and confers no rights!

Check local and domain user accounts status

To check a local user account status, administrators can perform "net user <user name>" in a Command Prompt to check it.

For domain user account, perform "net user <user name> /domain" in a Command Prompt.

It also displayed the Last logon" time, "Password expires" and etc.

More information

How to Use the Net User Command

This posting is provided “AS IS” with no warranties, and confers no rights!

Windows workstations or Windows Servers failed to open a share folder which is provided by network attached storage (NAS)

Symptom
When a workstation connects to a share folder which is provided by network attached storage (NAS), the workstation is pop-up the error message.

\\<Server Name> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

The account is not authorized to log in from this station.

Cause
The workstation was enabled "Microsoft network client: Digitally sign communications (always)" setting on Local Computer Policy or Domain Policy which is located at "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options". However, the network attached storage doesn't support or enable this function.

Resolution
By default, "Microsoft network client: Digitally sign communications (always)" is disabled on standalone workstations, domain workstations and domain member servers. If this setting is enabled, SMB client requires SMB servers to use SMB Message Signing. If network attached storage don't support or enable SMB Message Signing, Windows which are enables the setting reject this SMB connection. Some companies follow a Windows security hardening guide to enable this option by Group Policy.

1. Enabling SMB Message Signing on network attached storage
If network attached storage support SMB Message Signing, enable this setting on network attached storage.

2. Change "Microsoft network client: Digitally sign communications (always)" setting to Disabled
If this setting isn't broken your Windows security hardening of your company, disable it as the following path.

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Digitally sign communications (always) - Disabled

After updating the setting, administrators have to reboot the server.

More information
The Basics of SMB Signing (covering both SMB1 and SMB2)

How to Shoot Yourself in the Foot with Security, Part 1

This posting is provided “AS IS” with no warranties, and confers no rights!

Update the Windows Time Service settings of domain member servers in Hyper-V virtual machine

Normally, Windows Time service of domain member servers synchronizes a domain controller in domain environment. However, domain member servers are under virtual machine environment (Hyper-V). Virtual machines synchronize them time with the Hyper-V host server because the "Time synchronization" of "Integration Services" is enabled in virtual machines.

To verify the setting, we can log in as local administrator of a domain member server and then perform the "w32tm /query /source".

Now, the domain member server is synchronizing the time with the Hyper-V host server.

According "Time Synchronization in Hyper-V", the "Time synchronization" of "Integration Services" should be enabled in virtual machines. However, administrators can update the registry in virtual machines to stop W32Time from using the Hyper-V time synchronization integration service for moment-to-moment synchronization.

Goal

• Update the Windows Time Service in a domain member server, TM01, to synchronize a domain controller

Lab

1. On TM01, log in as Local Administrator.

2. Launch "Registry Editor".

3. Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider".

4. On right pane, double-click "Enabled".

5. Next to "Value data", change to "0".

6. Click "OK".

7. Close "Registry Editor".

8. Launch "Command Prompt" as administrator.

9. Perform "w32tm /config /syncfromflags:domhier /update" to update the setting to synchronize the time with a domain controller.

10. Perform "net stop w32time & net start w32time" to restart the Windows Time service.

11. Perform "w32tm /resync /force" to force synchronization.

12. Perform "w32tm /query /source" to verify the result.

As a result, the domain member server which is a virtual machine synchronize the time with a domain controller.

More information:

Time Synchronization in Hyper-V

This posting is provided “AS IS” with no warranties, and confers no rights!

The trust relationship between this workstation and the primary domain failed

When we use a domain user account to log in a workstation, we might get the following error.

"The trust relationship between this workstation and the primary domain failed".

This issue can be found on Windows 2000 to Windows Server 2012 R2 environment. How to make this error? Basically, Active Directory and workstations store 2 password versions of domain computer accounts which are "current password" and "previous password". If 2 password versions of this domain computer account don't matched the password copy of this domain computer account in Domain Controller, Windows displayed "The trust relationship between the workstation and the primary domain failed".  

By default, the machine account password changes every 30 days.

We can change this policy by Local Security Policy or Group Policy.

Some case will make this error.

1. The computer account was reset.

2. Administrators restore the backup or snapshot which is older than 60 days.

Quote from "Machine Account Password Process":

Now consider the scenario, when a machine is not connected to the network for a long period. Supposing on the client:

• Old password = null
• Current password = A
• New random password = B

And on the machine account in AD:

• unicodePWD = A

Remark: unicodePWD is a password copy of domain computer account

After 30 days when the Scavenger thread runs, the value would be:

• Old Password = A
• Current Password = B

At 60th day the same process happens again. So now  the newly generated password is C and the values are"

• Old password = B
• Current Password = C

Now when the client connects to AD, it will try the current password to authenticate. When that fails with error. Otherwise machine should be able to reset its password once it boots even after say 90 days.

End quote from "Machine Account Password Process":

There are 3 methods to fix this issue.

1. Disjoin and rejoin the computer to the domain.

Using this method, some services or applications cannot be started.

2. Perform "netdom resetpwd" to reset the machine account password in a domain computer.

According to KB325860, this procedure is most frequently user on domain controllers, but also applies to any Windows machine account.

I will try to perform it in my lab.

Lab environment

• 1 domain controller named DC01 in contoso.com which is installed Windows Server 2012
• 1 member server named App01 is a member server of contoso.com which is installed Windows Server 2012

Goal

Perform "netdom resetpwd" to fix "The trust relationship between the workstation and the primary domain failed" issue.

1. On DC01, log in as Domain Administrator.

2. Launch "Active Directory Users and Computers".

3. Locate "App01" and then right-click it.

4. Select "Reset Account".

5. On a pop-up window, click "Yes".

6. Click "OK".

7. Go to App01, log in as Domain Administrator.

Because the computer account has been reset, I cannot log in as any user of this domain. To fix this, we have to log in as Local Administrator and then perform "netdom resetpwd".

8. Log in as Local Administrator.

9. Launch "Command Prompt" as an administrator.

10. Perform "netdom resetpwd /s:DC01 /ud:Contoso\Administrator /pd:*" to reset and upload the local machine password to DC01 which is the domain controller.

11. Type the password of the domain administrator and then press "Enter".

12. Perform "nltest /sc_verify:contoso.com" to verify the trust.

13. Log out Local Administrator and log in as Domain Administrator.

As a result, the user can log in the workstation by using a domain user account.

Remark: There is no "nltest" and "netdom" command in some Windows versions like Windows Server 2003. You need to download and install the support tools before using it.

Remark: If you would like to reset a local machine password of a domain controller, please follow KB325860 to perform the additional steps.

3. Joe Richards, the MVP of Directory Services, wrote a detail article and a tool, MachinePwd, to fix this issue. If you are interested, please read his blog and follow his steps to fix it. 

References and more information:

Machine Account Password Process

Reset Computer accounts in Active Directory domain

The trust relationship between this workstation and the primary domain failed

Nltest

Reset-ComputerMachinePassword

This posting is provided “AS IS” with no warranties, and confers no rights!

Using wmic finds a machine serial number

It is easy for us to find a computer serial number by using wmic.

1. On a computer, log in as Administrator.

2. Launch "Command Prompt" as administrator.

3. Perform "wmic bios get serialnumber".

References:

How to find a machine serial number from command prompt using WMI

How to find computer serial number

This posting is provided “AS IS” with no warranties, and confers no rights!

Locate the software GUID

We can use "Registry Editor" to locate installed software GUID.

1. On a computer, log in as Administrator.

2. Launch "Registry Editor".

3. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

These are the GUID of installed software.

This posting is provided “AS IS” with no warranties, and confers no rights!

Block standard users to log in on Windows Safe mode

To block standard users to log in on Windows Safe mode in Windows 7 and Windows 8, we can modify the following registry.

1. On a computer, log in as Administrator.

2. Launch "Registry Editor".

3. Navigate to "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System".

4. Create a new "DWORD (32-bit) Value" named "SafeModeBlockNonAdmins".

5. Double-click "SafeModeBlockNonAdmins".

6. Change the value to "1".

7. Click "OK".

8. Close "Registry Editor".

When a local users of domain users log in on safe mode, Windows will show the following message.

"Enforced policy permits only administrators to log on in Safe Mode".

Reference:

A hotfix is available to block standard users from logging on to a Windows 7-based or Windows Server 2008 R2-based computer in safe mode

This posting is provided “AS IS” with no warranties, and confers no rights!

How to check unexpectedly shut down on Windows (Event ID 6008)

When the Windows system shuts down unexpectedly, the Windows system creates a Event which is ID 6008 in System Log. The event provides the date and time for last unexpected shut down.

To check the boot up time of the system, you can perform "systeminfo" at "Command Prompt".

I hope this information can help you to troubleshoot unexpected shutdown.

This posting is provided “AS IS” with no warranties, and confers no rights!

Using "Stored User Names and Passwords"

"Stored User Names and Passwords" allows users to verify which Network logon credentials are stored in the computer. The credentials are including, but note limited to, Outlook, Internet Explorer and map the network drive.   "Stored User Names and Passwords"  also can add,  remove, edit, back up and restore the credentials.

Remark: Backup and Restore supports Windows Vista or later.

To launch "Stored User Names and Passwords", perform "rundll32.exe keymgr.dll,KRShowKeyMgr" in "Run".

1. To back up the credential, click "Back up".

2. Click "Browse", provide a file name for the backup file.

3. Click "Next".

4. Press "Ctrl + Alt + Delete".

5. Provide the password to protect the backup file.

6. Click "Next".

7. Click "Finish".

Then I try to restore the credential from backup file.

8. Remove the credential.

9. Click "Restore".

10. Click "Browse", select the backup file.

11. Click "Next".

12. Press "Ctrl + Alt + Delete".

13. Enter the password of the backup file.

14. Click "Next".

15. Click "Finish".

As a result, the credential has been restored.

This posting is provided “AS IS” with no warranties, and confers no rights!

Using "Load Hive" modifies the user registry

In Registry Editor, we can use "Load Hive" to load the user registry setting. After loading the user registry, we can modify the settings which are affected the user.

Assuming that Administrator would like to modify Peter's registry.

1. At a Windows, log in as Administrator.

2. Launch "Registry Editor".

3. Select "HKEY_Users".

4. On the menu, click "File > Load Hive".

5. Navigate to "Peter Directory", select "NTUSER.DAT".

6. Click "Open".

7. Under "Key Name", type "Peter".

Now, you can modify Peter'registry. 

8. After modifying Peter's registry, select "Peter". 

9. On the menu, click "File > Unload Hive" to save the settings of Peter's registry.

This posting is provided “AS IS” with no warranties, and confers no rights!