Ultimate Guide to Security on Windows Server 2012 R2


I am so proud and excited to announce that I am finally finished with my first book and it is released to public. This book is on the topic of security on Windows Server 2012 R2 and after a year of working on it, I finally decided to not release it through Microsoft global marketplace (which is only private to training centers worldwide) and instead self publish it and make it available to everyone globally.

Learn how to secure the new Microsoft Windows Server 2012 R2 through this completely practical book which includes many step-by-step guides, exercises, and lab scenarios. This book will:

  • Provide beginner to advanced level content on the topic of security
  • Include many step-by-step hands-on labs and exercises
  • Include guides on how to configure commonly-used security services such as Network Access Protection, Network Policy Services, Dynamic Access Control, and many more.
  • Include also contents on how to configure security for Hyper-V
  • Fit also the need of those managing Windows Server 2008 (R2) environments

This book is a must-read for those who are tired of searching for good contents and would like to read something which is so right to the point. You can have more information about this book from www.windowsserversecurity.com and even have a glance inside the book contents.

Looking forward to your feedback about the book.



Forefront TMG 2010 has been Discontinued !!!

Finally it was announced and Microsoft has decided to discontinue some of its very popular products such as Forefront Threat Management Gateway 2010 together with some others listed below:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)

It also should be mentioned that among all of these, Forefront Protection 2010 for Exchange Server (FPE) will still be there but will be bound to Office365 and will be called Exchange Online Protection.

I still remember the rumor about a year ago about this decision but it was not confirmed then. Now that is is confirmed, there are still questions left on why Microsoft has made this strategic decision especially the decision to discontinue TMG which is a very popular product. It is now being used by a lot of companies as a gateway software for so many different purposes. It was the successor of popular Microsoft ISA Server 2006 and now all have been discontinued to be any further developed.

Continue reading

Necessary Services on a Domain Controller

Domain controllers are those very important servers in every network. Active Directory service is installed on a domain controller and there is very important data about objects and resources stored in every domain controller. In order to secure a domain controller or generally every other computer, we need to reduce the attack surface by reducing the number of applications and services running on top of that server or computer.

Windows Server 2008 R2 is actually an OS with a lot of different services that can be running on top of it but the question is that how many and which of them need to be running or stopped?

I tried to come up with this table below to specify the state of different services in every domain controller:



Alerter Disabled
Application Layer Gateway Service Manual
Application Management Disabled
ASP.NET State Services Disabled
Automatic Updates Automatic
Background Intelligent Transfer Service Manual
Certificate Services Disabled
MS Software Shadow Copy Provider Manual
Client Service for NetWare Disabled
ClipBook Disabled
Cluster Service Disabled
COM+ Event System Manual
COM+ System Application Disabled
Computer Browser Automatic
Cryptographic Services Automatic
DHCP Client Automatic
DHCP Server Disabled, unless acting as a DHCP server
Distributed File System Automatic
Distributed Link Tracking Client Disabled
Distributed Transaction Coordinator Disabled
DNS Client Automatic
DNS Server Automatic
Error Reporting Service Disabled
Event Log Automatic
Fax Service Disabled
File Replication Service Automatic
File Server for Macintosh Disabled
FTP Publishing Service Disabled
Help and Support Disabled
HTTP SSL Disabled
Human Interface Device Access Disabled
IAS Jet Database Access Disabled
IIS Admin Service Disabled
IMAPI CD-Burning COM Service Disabled
Indexing Service Disabled
Internet Authentication Service Disabled
Windows Firewall/Internet Connection Sharing (ICS) Disabled
Intersite Messaging Automatic, if using SMTP for intersite replication
IP Version 6 Helper Service Disabled
IPSec Policy Agent (IPSec Service) Automatic
Kerberos Key Distribution Center Automatic
License Logging Service Disabled
Logical Disk Manager Manual
Logical Disk Manager Administrative Ser-vice Manual
Message Queuing Disabled
Message Queuing Down Level Clients Disabled
Message Queuing Triggers Disabled
Messenger Disabled, unless using a UPS
Microsoft POP3 Service Disabled
MSSQLServerADHelper Disabled
.NET Framework Support Service Disabled
Net Logon Automatic
NetMeeting Remote Desktop Sharing Disabled
Network Connections Manual
Network DDE Disabled
Network DDE DSDM Disabled
Network Location Awareness (NLA) Manual
Network News Transfer Protocol (NNTP) Disabled
NTLM Security Support Provider Automatic
Performance Logs and Alerts Manual
Plug and Play Automatic
Portable Media Serial Number Disabled
Print Server for Macintosh Disabled
Print Spooler Disabled
Protected Storage Automatic
QoS RSVP Not Applicable
Remote Access Auto Connection Manager Disabled
Remote Access Connection Manager Disabled
Remote Administration Service Manual
Remote Desktop Help Session Manager Disabled
Remote Installation Disabled
Remote Procedure Call (RPC) Automatic
Remote Procedure Call (RPC) Locator Disabled
Remote Registry Automatic
Remote Server Manager Disabled
Remote Server Monitor Disabled
Remote Storage Notification Disabled
Remote Storage Server Disabled
Removable Storage Disable
Resultant Set of Policy Provider Automatic
Routing and Remote Access Disabled
SAP Disabled
Secondary Logon/RunAs Service Disabled
Security Accounts Manager Automatic
Server Automatic
Shell Hardware Detection Disabled
Simple Mail Transfer Protocol (SMTP) Automatic, if using SMTP for replication
Simple TCP/IP Services Disabled
Single Instance Storage Groveler Disabled
Smart Card Automatic, if using smart cards
SNMP Service Disabled unless required in your network
SNMP Trap Service Disabled
Special Administration Console Helper Disabled
SQLAgent$* (*UDDI or WebDB) Disabled
System Event Notification Automatic
Task Scheduler Manual
TCP/IP Net BIOS Helper Service Automatic
TCP/IP Print Server Disabled
Telephony Disabled
Telnet Disabled
Terminal Services Automatic
Terminal Services Licensing Disabled
Terminal Services Session Directory Disabled
Themes Disabled
Trivial FTP Daemon Disabled
Uninterruptible Power Supply Automatic, if using a UPS; otherwise, Disabled
Upload Manager Disabled
Virtual Disk Service Disabled
Volume Shadow Copy Manual
WebClient Disabled
Web Element Manager Disabled
Windows Audio Disabled
Windows Image Acquisition (WIA) Disabled
Windows Installer Manual
Windows Internet Name Service (WINS) Disabled, unless the domain controllers is hosting a WINS server
Windows Management Instrumentation Automatic
Windows Management Instrumentation Driver Extensions Manual
Windows Media Services Disabled
Windows System Resource Manager Disabled
Windows Time Automatic
WinHTTP Web Proxy Auto-Discovery Service Disabled
Wireless Configuration Disabled
WMI Performance Adapter Manual
Workstation Automatic
World Wide Web Publishing Service Disabled

 Of course, it still depends on your services that need to be necessarily running on your domain controller and if for instance you want to configure your DC as a DHCP server, then you will have to change the “DHCP Server” service state to Automatic.

You want to learn more specifically about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


I hope you enjoyed it


Microsoft Attack Surface Analyzer

I’m back with a great tool released by Microsoft which is still in the beta version. It is called Attack surface analyzer. This tool is used when you want to know to what extent your system is exposed to attacks after installing so many software and applications on it.

In order to make use of this tool, you need to scan the system using it once when the system is clean and before the installation of any software or application and get a baseline scan report. The sec

ond time you run a scan is when you have installed applications and softwares on your system and you want to know how much exposure to attacks they have given to your system after their installation. After the second scan is run, it will give you a report of the security vulnerabilities found on your system.

You can download the tool from here.

I hope you can use it for good.


Social Engineering, Still a Big Threat…

If you are working as a security engineer or analyst in a large enterprise, you probably have to constantly deal with a large number of different attacks always threatening the network. One of those types of attacks is social engineering which has gotten a new shape these days due to the complexity of relationships and with the vast growth of social networking websites such as Facebook.

Social engineering, in its easiest definition, refers to the act of talking people into doing something without them even knowing that it harms the company or themselves even. It’s usually planned and done by hackers in order to find a way inside the big organizations’ networks at the early stages of hacking. Even right now penetration tests performed by security engineers check the social vulnerability of the employees working in that organization.

With this rapid increase in this type of attacks which is really difficult to handle by the security people, as I mentioned above we can see new types of social engineering attacks taking place. Hackers reach employees through social networking websites to achieve what they cannot achieve using the old methods of cracking. This is pretty much the easiest way an attacker can penetrate into the network. For instance Phishing attacks by using social networking websites which could be called a kind of social engineering technique has jumped significantly from 8.3% in January 2010 to 84.5% in December which pretty much shows its popularity among internet criminals.

But seriously what could be done to stop these attacks from happening?

This really depends on the level of awareness against these types of attacks among the employees. Before I go any further into this discussion, let me ask a question…

Which one would you prefer? Buying the latest and the most expensive Firewall appliances for your network or having regular seminars among the employees?

I am sure more than half would go for firewalls. No one would ever think that security starts from that very employee working inside the organization or company. Even a janitor can reveal so much information about a network. You might think it’s silly but it’s true. Have you ever asked yourself this question that who is the person knowing exactly who is on shift at work or who is the one that knows exactly the person always checking the server room or what time do employees leave their rooms for a break or … ? Yes, that’s the janitor who sees and knows all these… How easy do you think it is to get all this information from a janitor? 1 minute? 2 minutes? 15 minutes? or maybe 1 hour when you treat him for a coffee…

Again I say that might seem funny but these are the real world threats even nowadays… Nowadays that devices are that strong and sometimes unbreakable, hackers would think of human mistakes and vulnerabilities. Yes that’s true… Here is a link to a roundtable video with two guests from Microsoft talking about social engineering threats.

Trust me guys… Hacking and penetration is as simple as this… Go and think of the culture you need to create among the people in your company and try to create an awareness about any possible attacks…

Good luck

Step-By-Step Guide on Configuring Applocker in the Domain…

As a systems admin, you might have probably wanted to deny your users to use a particular software application. This is pretty common since using some applications in some network environments is illegal.

In order to block an application, we can make user of a great feature called AppLocker available in Windows 7 and Windows Server 2008 R2. Here is a step by step guide on how to configure AppLocker in the domain or on computers in a special OU or site.

Let’s assume in this exercise you want to block the Chess game on all the computers in your domain.

First of all, on your DC you need to go to Administrative Tools and open up Group Policy Management console and then right click on the Default Domain Policy and click Edit to open Group Policy Management Editor.

Then here, under Computer Configuration go to Windows Settings -> Security Settings -> Application Control Policies -> AppLocker

Before anything right-click on AppLocker and click on Properties and then under Executable Rules, click on Configured and choose Enforce rules:

And then as shown in the below photo right click on Executable Rules and choose Create New Rule:

Once you click on Create New Rule, this window will open up and you just need to click on Next:

On the next Window, you will need to select which users or groups this rule applies to and whether you want the rule to allow users or deny them to use that application. Once Configured, click Next:

On the next window choose File Hash and then click Next:

On the next windows click on Browse Files and choose the program file and then click Next:

Give the new rule a name and then click Create:

Now the new rule must have been added under Executable Rules as shown below:

Now if anyone in the domain tries to open Chess from their computer, they will receive this message, meaning that Chess game has been blocked by a policy:

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


Good luck for the weekend


Forefront Endpoint Protection 2012 Beta is out…

It’s been a while Microsoft has been working on its Forefront products and they have been really successful in offering products that are of great help to increase the security of the network environment and systems both on the server-side and client-side.

I personally love them all and have more experience working with Forefront Threat Management Gateway 2010 and truly enjoyed all the better features it has in comparison with ISA Server 2006. When you have the experience of working with a product for quite a long time and wish for some added functionalities, once the new product is out and gives you all of them, that’s when you have a really good feeling. I guess Forefront products give you exactly the same kind of feeling.

Now Forefront Endpoint Protection 2012 Beta is out. Before we go a little bit further with the features, let me give you an overview on what it is. FEP helps businesses efficiently improve endpoint protection while decreasing the costs. It is built on System Center Configuration Manager allowing businesses to use their existing client management infrastructure to manage the endpoint protection. Right now this beta version is compatible with System Center Configuration Manager 2012.

But let’s see what’s new in this new beta release of FEP:

  • Supporting System Center Configuration Manager 2012
  • Improved real time alerts and reports
  • Role-based management
  • User-centric reports (post beta)
  • Easy migration from FEP 2010/ConfigMgr 2007
  • Support for FEP 2010 client agents
FEP 2012 provides protection against known and unknown threats using advanced techniques such as behavior monitoring, network inspection system and heuristics. It also has a real-time cloud-based update system through Spynet service helping it to stay up-to-date.
If you need more information on FEP you can click here and here.
I hope you will be among the early adopters of FEP 2012.

Encryption at Layer-2 or Layer-3 ??!

This is the question that often times comes to mind? Where do we need to apply encryption and why? Do we need to apply it at layer-2 which is much more low-level or do we need to apply it at layer-3 where Internet Protocol finds its definition?

Well, in the world today it is the speed of communication which every one thinks of first and talking about that, encryption at later-2 is the best option if you are sending data over a very fast network and if you do not want the flow of the traffic to be slow by any means. Layer-2 encryption reduces the overhead required by layer-3 encryption protocols or protocol suits like IPSec and reduces CPU utilization in devices applying it. Considering the great usage of VoIP nowadays and knowing that security and speed play very important roles in voice communications, layer-2 encryption for sure will be the best choice.

Having mentioned above, layer-3 encryption is still well-suited for environments where you have low-bandwidth connections and really do not have devices to support encryption at layer-2. There are also situations where companies have offices around the world and it is not anymore the matter of only a few devices but hundreds, so you need to consider the fact that encryption at layer-2 is on a hop-by-hop basis and not end-to-end just like layer-3.

Nowadays there are so many devices supporting Layer-2 encryption and it is not like the past anymore as there is a standard for it therefore there could be layer-2 encrypted communication between devices of different vendors. For instance Cisco Catalyst Switches (3560-X series and 3750-X series) now pretty well support data-link layer encryption by IEEE 802.1AE (MACsec), 802.1x REV.

So if you think that you need to apply encryption over your high-speed links and security really matters to you as well as low-latency and simplicity in management, you can for sure go for layer-2 encryption.

The Enhanced Mitigation Experience Toolkit (EMET)

In the previous posts of my blog we talked a little bit about security exploits and how they function and how to prevent from attacks using security exploits. In this post I am so excited to introduce a great toolkit offered by Microsoft to defense against the exploitation of the system.

The tool is called Enhanced Mitigation Experience Toolkit (EMET) which uses exploitation mitigation techniques making it very difficult for exploits to defeat the system. However the protection applied by EMET does not guarantee that the system will not be exploited but it just makes it as difficult as possible to exploit the system even using a 0-Day vulnerability exploits. 

Working with EMET is pretty simple and you just need to download it from here  and then install it on your machine and simply choose the software that you want it to protect and you believe is more probable to have a security vulnerability and then you are all done. It is possible through the GUI interface of the tool.

EMET is compatible with any software and it does not really matter whether the software you want to protect is a Microsoft software or not. Below is a screenshot of the GUI interface of the toolkit:

You should for sure try this tool as it’s a must for every security engineer worrying about the security of their environment with all those softwares installed on their servers which each could have possible security vulnerabilities putting the whole network and system at risk.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:



Possible Attacks on Windows and Countermeasures – Part 2

In the previous post I talked about password cracking and how you could actually protect against these attacks. In this article I want to explore another type of attacks:

Buffer Overflow Attacks:

This is a very common type of attack that is triggered against an operating system (Not necessarily Windows) due to a security vulnerability existing whether inside the operating system or the applications installed on top of that. Probably the reason why this is a very common type of attack is because the security bugs inside the softwares and applications on the OS could also result in a security hole in the OS…

What is buffer overflow vulnerability?

This happens when data copied into the memory buffer is larger than the buffer size making it overflow. This problem could be mostly seen in applications written with C and C++ programming languages which offer no built-in protection against accessing or overwriting data in any part of memory.

This problem could result in execution of some malicious codes by a hacker making it pretty easy for a hacker to even remotely execute malicious codes on an OS so that they could access the OS.

When a buffer overflow security hole is found, there will be usually security advisory released on the OS or software website. This security advisory to my way of thinking has advantages and disadvantages.

The advantage is that users become more aware of the security vulnerabilities on their OS or software and can better plan for protection using their firewalls by closing specific ports or even disconnecting a specific computer from the internet. I have written a specific article about this that you can read here.

The disadvantage is that hackers become aware of such vulnerabilities and will begin writing malicious exploits for that security bug so that they could take advantage of it to access affected systems. But what are exploits?

Exploits are programs maliciously written to take advantage of a security vulnerability. We have two general types of exploits. One is Remote Exploits that could be run remotely against a server with that problem and the other one is Local Exploits that could be run locally when the hacker has some limited local access on a machine so he could use the exploit to escalate his permission and get full access to the system.

If the vulnerability is pretty critical and is found on a popular OS like Windows or any other common software, there would be possible worms written for it. Worms are exploits with additional capabilities to scan the network and search for any machine with the same security problem and then try to penetrate into that machine and keep spreading.


It’s really difficult to say how to protect against these attacks as there are so many applications installed on the OS and any of them could cause such a problem but the best practice is to keep your computer up to date by enabling automatic update on your Windows.

There is also a very good feature on Windows called DEP (Data Execution Prevention) that should be turned on. It can protect your computer against this type of attack by monitoring programs to make sure they use computer memory safely. If DEP realizes that a program is trying to run instruction from the portion of memory used for data, DEP will close the program and notifies you.

You can turn it on from System Properties -> Advanced System Settings -> Performance Settings -> Data Execution Prevention and enable Turn on DEP for essential Windows programs and services only

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


Hope you enjoyed it