Step-by-Step Guide to EFS Recovery

In this scenario John Smith is an employee who uses his domain credentials to have direct access to Example-Server01 which many employees use to store their confidential customer’s data. John uses the folder C:\Example_Customer1 to store his exclusive customer’s data and he uses EFS to encrypt the content of this folder.

After a few months John has been asked to leave the company with immediate effect due to integrity issues and therefore the IT security administrator needs to recover the files he stored in C:\Example_Customer1.

Continue reading

Step-by-Step Guide to Disable Encrypting File System (EFS)

You can disable EFS for a folder, a computer or even the entire domain. In order to disable EFS for a folder create a file called Desktop.ini that contains:

[Encryption]

Disable=1

All you need to do is to save this file in the folder in which you want EFS to be disabled. When the user wants to encrypt the folder or the files in the folder, this will show him/her a message that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

Please note that only the current folder with all the files in it are affected by the Desktop.ini file. If you create a subfolder, both the subfolder and any files in it can be encrypted. Also, encrypted files can be copied or moved, without losing their encryption, into the directory that contains the Desktop.ini file.

Disabling EFS for a Stand-Alone Computer

If you want to disable EFS for the entire computer, you need to add an entry to the computer Registry:

  1. In the Run dialog box, type regedit.exe.
  2. Navigate to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\EFS.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Enter EfsConfiguration for the value name and 1 for the value data to disable EFS. (A value of 0 enables EFS.)
  5. Restart the computer.
  6. If EFS is disabled and a user tries to encrypt a file or folder, a message tells the user that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

Continue reading

Ultimate Guide to Security on Windows Server 2012 R2

2

I am so proud and excited to announce that I am finally finished with my first book and it is released to public. This book is on the topic of security on Windows Server 2012 R2 and after a year of working on it, I finally decided to not release it through Microsoft global marketplace (which is only private to training centers worldwide) and instead self publish it and make it available to everyone globally.

Learn how to secure the new Microsoft Windows Server 2012 R2 through this completely practical book which includes many step-by-step guides, exercises, and lab scenarios. This book will:

  • Provide beginner to advanced level content on the topic of security
  • Include many step-by-step hands-on labs and exercises
  • Include guides on how to configure commonly-used security services such as Network Access Protection, Network Policy Services, Dynamic Access Control, and many more.
  • Include also contents on how to configure security for Hyper-V
  • Fit also the need of those managing Windows Server 2008 (R2) environments

This book is a must-read for those who are tired of searching for good contents and would like to read something which is so right to the point. You can have more information about this book from www.windowsserversecurity.com and even have a glance inside the book contents.

Looking forward to your feedback about the book.

Cheers,

Esmaeil

Detecting Common Attacks using TMG Intrusion Detection

Apart from those complicated and advanced-level attacks that are targeted against every network every once in a while, there are common attacks that could be really troublesome. A lot of time this happens when people believe that their network does not contain any important data to even go under attack and when the attack occurs, they panic because they don’t expect it and in fact they have nothing to even stop this type of attacks.

Forefront Threat Management Gateway 2010 has an IDS (Intrusion Detection System) inside as one of its features that can detect many of these attacks. To access and configure this feature in TMG you need to go to Intrusion Prevention System and then click on Behavioral Intrusion Detection and first click on Configure Detection Settings for Common Network Attacks:

Here you can see a list of different types of attacks that if checked will be detected and a log will be created for them in the Monitoring section of the TMG. For instance if you check the Port Scan, you can specify the number of ports to be scanned before the TMG considers the traffic as a port scanning attack and can log it.

In the other tab, we can also detect different types of attacks against the DNS service:

Coming back to the Behavioral Intrusion Detection tab in TMG, you can also click on Configure IP Options Filtering to filter specific IP options that may be included in the IP packet’s header. Most IP options in the packer header are harmless but there are some of them that could indicate malicious traffic and must be checked. They are shown below in the picture. If there is any traffic containing these options in the packet header, they will be dropped if you select Deny packets with the selected IP options.

Under the other tab called IP Fragment, you can block IP fragments to block the type of traffic generated from those applications that fragment the packets so that they will not be detected by the firewall but you have to keep in mind that if you enable blocking of IP fragments, you may also block other types of traffic such as L2TP which is pretty common in every network having remote users.

Again under Behavioral Intrusion Detection in TMG, if you click on Configure Flood Mitigation Settings, you will be able to detect and block flood attacks towards the TMG and facing the network. Using this feature you will be able to specify the number of allowed different types of connections to a host and if there are more requests than that, it will be detected as a flood attack and will be denied. You can click on Edit to configure the settings for any of the connection types:

After all this configuration, if there is any traffic detected as attack, it will be logged under the Monitoring section in TMG and will be visible under Alerts. After knowing the source of the attack you will be able to easily block it using the firewall feature if it is not by default blocked.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Cheers

Joining Forefront TMG to a Domain or Workgroup…

It’s been always a big question whether the firewall protecting the network should be joined to the Active Directory domain or not? There are so many arguments going on around this topic. In this post, I am focusing more on Forefront Threat Management Gateway 2010 as our firewall and we are going to discuss the pros and cons of adding it to a domain or workgroup.

Type of Installation

PROS

CONS

Domain-Member
  • More control for user access in forward and reverse proxy scenario.
  • Applying Group Policy settings on the TMG server from the central DC and therefore hardening the server running our firewall.
  • Using Kerberos authentication when publishing different servers and therefore increasing the security.
  • Support for authentication using client certificates as the main method of authentication.
  • In case the TMG server is in the perimeter network separated from the internal network by another firewall, there should be more ports open on that firewall to allow the communication between the DC and the TMG.
Workgroup-member
  • If the firewall is compromised, the directory services might not be affected.
  • Even if Active Directory is compromised, the firewall might not be compromised because it isn’t part of the domain.
  • Doesn’t give you the ability to use the domain users and accounts to be used in integration with the TMG.
  • Client certificates can not be used as the main method of authentication.
  • User accounts are created on the firewall itself to allow intra-server communication.
  • Doesn’t support Active Directory Group Policy.
  • TMG client authentication requires account mirroring on TMG

What mentioned above was just a pretty simple comparison which can be found everywhere. But now I want to extend this discussion by first clarifying whether the domain controller and our AD environment will be at risk if we add the TMG to the domain and make it a domain member server. I personally believe in a simple configuration, joining a TMG server to the domain could expose the network to some sort of security risks and depending on the knowledge of the attacker, there could be further attacks on the domain controller and also the other services.

This type of attack usually happens when there is only one layer of TMG firewall between the outside network and the internal network. In a two-level TMG firewall design, we will have more flexibility playing around with the rules inside TMG. In a two-level firewall or what we call as a back-to-back firewall design we can join the front-end TMG firewall to the domain so that we can make use of all the domain features for the clients connecting to the front-end TMG. We also can join our back-end TMG firewall to a workgroup. In this case even if the front-end TMG is owned by an attacker, there still will be a back-end TMG a head of the attacker to get to the main network and the DC.

The question that might come up here is that the back-end TMG still has some ports open so that the front-end TMG can communicate with the DC in the network and you might wonder whether having that back-end TMG is useful at all? And the answer is YES, it is useful since just opening a port on a firewall to let the authentication traffic through doesn’t expose any security risk to the network. A firewall can stop a lot of different types of attacks and therefore that back-end TMG can protect the whole network environment even if the front-end domain-member TMG is owned by the attacker.

In this post I just tried to give you some insights. I suggest whenever you are thinking of integrating any service or software or product with Active Directory, do not panic because of potential security risks but try to analyze the situation and what you want to implement and take every step very carefully and consider even very small risks, then maybe you will realize that the integration of services and products with AD is not that scary…

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book. 

To get more information about the book click on the book below:

1

Cheers


Security Dependencies

To me, systems security is not all about the configuration but it is mostly about design. Staying away from attacks and keeping the environment safe pretty much depends on how the security engineer designs a system. There are a lot of things that play very important roles in bringing security to systems. One of the most important things that should be paid a great amount of attention to is security dependencies.

A security dependency occurs when the security of a system is dependent on the security of another system. This is the case in almost all networks with all these unified systems deployed in each of them. Take Active Directory for instance. In an AD environment there are so many different services which get authenticated and authorized with the Domain Controller. What does it mean? This simply means that the security of all those systems running those services are dependent on the security of the Domain Controller. Once the DC is hacked, the whole network with all those services which are dependent on the DC will be in danger.

This way of thinking will give the security designer a very good view on their design. They pretty much know what they need to begin their design with. They know exactly what kind of data must be stored on each server and how this data is going to be used by the other servers. This way of clarifying things will give the designer a better view on how to relate services and servers.

We generally have two types of dependencies:

Acceptable dependency: In this type of dependency, a less sensitive service or server is dependent on a more sensitive server or service. For example the security of a client PC is dependent on the security of a DC in an AD network.

Unacceptable dependency: In this type of dependency, a more sensitive service or server is dependent on a less sensitive server or service. As a simple example, you can take a DC running Windows Server 2008 R2 in a part of a network being protected by another server running Windows Server 2003 running Routing and Remote Access Service with a basic firewall. This is where we should think again about our design:

Should we run the AD database on a Windows Server 2008 R2 server and protect it from the outside attacks using a Windows Server 2003 or the other way around???!!!

Or maybe we should go a head with a totally different design by adding another Windows Server 2008 R2 to the network.

Thinking about virtualization technologies we get to the same point. The point here is that all the virtual machines (VMs) are dependent on the security of the Hypervisor. With a basic configuration of Hyper-V the whole virtualized environment could be exposed to attacks and once the host is hacked, the other VMs will be at risk but yet again there are ways to make some changes in this kind of dependency and mitigate the attacks. In this post I have explained one of those ways.

All in all, security dependency always exists in our network and systems but what really matters is the level of this dependency and seeing exactly what is dependent on what? In those situations that we have to make a choice, it’s very important to analyze different choices that we have and then choose the one which makes the less sensitive server dependent on the more sensitive one if there is no way to eliminate the whole dependency.

Cheers

Securing Branch Office Networks using RODCs

Nowadays networks are not anymore limited to only one single LAN connecting computers together. Companies are growing and so are the networks. Companies have branch offices in remote locations all connecting together through different types of network mediums. So, network are expanding at the speed of the light.

Talking about branch offices, there are so many challenges when configuring a network environment in a branch office and a lot of things need to be considered. I would like to briefly describe three of these challenges here:

Cost Control: Reduce the cost of managing and supporting remote offices (including making most efficient use of network links).

Security: Improve Security of Data and Access.

Agility: Providing a flexible infrastructure that maximizes IT investment.

In this blog post I am only going to talk about security as one of the most important concerns when implementing branch offices and this note will mostly revolve around the network environments implemented and configured on Microsoft systems.

One major component of Windows Server 2008 R2 that has a direct impact on securing your branch offices is Read-Only Domain Controller (RODC).

As the name suggests, RODCs are read-only databases of the AD DS meaning that they require only unidirectional replication for Active Directory, as well for the File Replication Service (FRS) and Distributed File System Replication (DFSR).

This one-way replication brings along a security benefit. Any compromise or other issue that introduces poisoned data into the RODC’s local copy of the AD DS database cannot be replicated back to the rest of the domain controllers in the other locations from the affected RODC. This is certainly a mitigation that can help stop a local problem from becoming a global problem.

One-way replication brings benefits in terms of designing your replication topology and controlling replication traffic, as well. Bridgeheads and hubs do not have to poll the RODC for changes. The RODC performs normal inbound replication for AD DS and FRS and any DFSR changes.

Because the RODC is a member of the domain, sometimes it has a need to write to Active Directory. However, it does not write to the local database, but will instead connect to a writable domain controller, just like a workstation. The RODC computer account is a workstation account, so it has very limited rights to write to AD DS—again to minimize any damage to the enterprise AD DS if the RODC is compromised. Because they are “workstations” in this sense, RODC computer accounts are not members of the Enterprise Domain Controllers (EDC) or Domain Domain Controllers groups.

Administrative Role Seperation:

With Role Separation you can delegate the local administrator role of an RODC computer to any domain user without granting that user any rights to the domain itself or to other domain controllers. In Windows Server 2003, DCs didn’t have a local administrator; if you could administer a DC, you could administer the whole domain.

Administrative Role Separation can allow a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver, without allowing that user to log on to any other domain controller or manage the domain.

All in all, RODCs provide a way to deploy domain controllers more securely in a branch office location because they are designed to be placed in locations that require rapid, reliable, and robust authentication services but that might also have a security limitation that limits or prevents deployment of a writable domain controller. With an RODC, organizations can mitigate risks with deploying a domain controller in locations where physical security cannot be guaranteed.

Necessary Services on a Domain Controller

Domain controllers are those very important servers in every network. Active Directory service is installed on a domain controller and there is very important data about objects and resources stored in every domain controller. In order to secure a domain controller or generally every other computer, we need to reduce the attack surface by reducing the number of applications and services running on top of that server or computer.

Windows Server 2008 R2 is actually an OS with a lot of different services that can be running on top of it but the question is that how many and which of them need to be running or stopped?

I tried to come up with this table below to specify the state of different services in every domain controller:


Service

State

Alerter Disabled
Application Layer Gateway Service Manual
Application Management Disabled
ASP.NET State Services Disabled
Automatic Updates Automatic
Background Intelligent Transfer Service Manual
Certificate Services Disabled
MS Software Shadow Copy Provider Manual
Client Service for NetWare Disabled
ClipBook Disabled
Cluster Service Disabled
COM+ Event System Manual
COM+ System Application Disabled
Computer Browser Automatic
Cryptographic Services Automatic
DHCP Client Automatic
DHCP Server Disabled, unless acting as a DHCP server
Distributed File System Automatic
Distributed Link Tracking Client Disabled
Distributed Transaction Coordinator Disabled
DNS Client Automatic
DNS Server Automatic
Error Reporting Service Disabled
Event Log Automatic
Fax Service Disabled
File Replication Service Automatic
File Server for Macintosh Disabled
FTP Publishing Service Disabled
Help and Support Disabled
HTTP SSL Disabled
Human Interface Device Access Disabled
IAS Jet Database Access Disabled
IIS Admin Service Disabled
IMAPI CD-Burning COM Service Disabled
Indexing Service Disabled
Internet Authentication Service Disabled
Windows Firewall/Internet Connection Sharing (ICS) Disabled
Intersite Messaging Automatic, if using SMTP for intersite replication
IP Version 6 Helper Service Disabled
IPSec Policy Agent (IPSec Service) Automatic
Kerberos Key Distribution Center Automatic
License Logging Service Disabled
Logical Disk Manager Manual
Logical Disk Manager Administrative Ser-vice Manual
Message Queuing Disabled
Message Queuing Down Level Clients Disabled
Message Queuing Triggers Disabled
Messenger Disabled, unless using a UPS
Microsoft POP3 Service Disabled
MSSQL$UDDI Disabled
MSSQLServerADHelper Disabled
.NET Framework Support Service Disabled
Net Logon Automatic
NetMeeting Remote Desktop Sharing Disabled
Network Connections Manual
Network DDE Disabled
Network DDE DSDM Disabled
Network Location Awareness (NLA) Manual
Network News Transfer Protocol (NNTP) Disabled
NTLM Security Support Provider Automatic
Performance Logs and Alerts Manual
Plug and Play Automatic
Portable Media Serial Number Disabled
Print Server for Macintosh Disabled
Print Spooler Disabled
Protected Storage Automatic
QoS RSVP Not Applicable
Remote Access Auto Connection Manager Disabled
Remote Access Connection Manager Disabled
Remote Administration Service Manual
Remote Desktop Help Session Manager Disabled
Remote Installation Disabled
Remote Procedure Call (RPC) Automatic
Remote Procedure Call (RPC) Locator Disabled
Remote Registry Automatic
Remote Server Manager Disabled
Remote Server Monitor Disabled
Remote Storage Notification Disabled
Remote Storage Server Disabled
Removable Storage Disable
Resultant Set of Policy Provider Automatic
Routing and Remote Access Disabled
SAP Disabled
Secondary Logon/RunAs Service Disabled
Security Accounts Manager Automatic
Server Automatic
Shell Hardware Detection Disabled
Simple Mail Transfer Protocol (SMTP) Automatic, if using SMTP for replication
Simple TCP/IP Services Disabled
Single Instance Storage Groveler Disabled
Smart Card Automatic, if using smart cards
SNMP Service Disabled unless required in your network
SNMP Trap Service Disabled
Special Administration Console Helper Disabled
SQLAgent$* (*UDDI or WebDB) Disabled
System Event Notification Automatic
Task Scheduler Manual
TCP/IP Net BIOS Helper Service Automatic
TCP/IP Print Server Disabled
Telephony Disabled
Telnet Disabled
Terminal Services Automatic
Terminal Services Licensing Disabled
Terminal Services Session Directory Disabled
Themes Disabled
Trivial FTP Daemon Disabled
Uninterruptible Power Supply Automatic, if using a UPS; otherwise, Disabled
Upload Manager Disabled
Virtual Disk Service Disabled
Volume Shadow Copy Manual
WebClient Disabled
Web Element Manager Disabled
Windows Audio Disabled
Windows Image Acquisition (WIA) Disabled
Windows Installer Manual
Windows Internet Name Service (WINS) Disabled, unless the domain controllers is hosting a WINS server
Windows Management Instrumentation Automatic
Windows Management Instrumentation Driver Extensions Manual
Windows Media Services Disabled
Windows System Resource Manager Disabled
Windows Time Automatic
WinHTTP Web Proxy Auto-Discovery Service Disabled
Wireless Configuration Disabled
WMI Performance Adapter Manual
Workstation Automatic
World Wide Web Publishing Service Disabled

 Of course, it still depends on your services that need to be necessarily running on your domain controller and if for instance you want to configure your DC as a DHCP server, then you will have to change the “DHCP Server” service state to Automatic.

You want to learn more specifically about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

I hope you enjoyed it

Cheers

Microsoft Attack Surface Analyzer

I’m back with a great tool released by Microsoft which is still in the beta version. It is called Attack surface analyzer. This tool is used when you want to know to what extent your system is exposed to attacks after installing so many software and applications on it.

In order to make use of this tool, you need to scan the system using it once when the system is clean and before the installation of any software or application and get a baseline scan report. The sec

ond time you run a scan is when you have installed applications and softwares on your system and you want to know how much exposure to attacks they have given to your system after their installation. After the second scan is run, it will give you a report of the security vulnerabilities found on your system.

You can download the tool from here.

I hope you can use it for good.

Cheers

Step-By-Step Guide on Configuring Applocker in the Domain…

As a systems admin, you might have probably wanted to deny your users to use a particular software application. This is pretty common since using some applications in some network environments is illegal.

In order to block an application, we can make user of a great feature called AppLocker available in Windows 7 and Windows Server 2008 R2. Here is a step by step guide on how to configure AppLocker in the domain or on computers in a special OU or site.

Let’s assume in this exercise you want to block the Chess game on all the computers in your domain.

First of all, on your DC you need to go to Administrative Tools and open up Group Policy Management console and then right click on the Default Domain Policy and click Edit to open Group Policy Management Editor.

Then here, under Computer Configuration go to Windows Settings -> Security Settings -> Application Control Policies -> AppLocker

Before anything right-click on AppLocker and click on Properties and then under Executable Rules, click on Configured and choose Enforce rules:

And then as shown in the below photo right click on Executable Rules and choose Create New Rule:

Once you click on Create New Rule, this window will open up and you just need to click on Next:

On the next Window, you will need to select which users or groups this rule applies to and whether you want the rule to allow users or deny them to use that application. Once Configured, click Next:

On the next window choose File Hash and then click Next:

On the next windows click on Browse Files and choose the program file and then click Next:

Give the new rule a name and then click Create:

Now the new rule must have been added under Executable Rules as shown below:

Now if anyone in the domain tries to open Chess from their computer, they will receive this message, meaning that Chess game has been blocked by a policy:

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Good luck for the weekend

Cheers