Month: March 2014

LDAP and AD

SID to Name translation

[adsi]LDAP://<SID=$sid>

GUID to object

[adsi]LDAP://<GUID=$guid>

Sid to Name translation (works with trusts)

string sid="S-1-5-21-789336058-507921405-854245398-9938";
string account = new System.Security.Principal.SecurityIdentifier(sid).Translate(typeof(System.Security.Principal.NTAccount)).ToString();

$objSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1111111111-2222222222-3333333333-44444")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])

Name to SID translation

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

NTAccount f = new NTAccount("username");
SecurityIdentifier s = (SecurityIdentifier) f.Translate(typeof(SecurityIdentifier));

$user=New-Object System.Security.Principal.NTAccount("DOMAIN\Username")
$user.Translate([System.Security.Principal.SecurityIdentifier]).Value

Well know SIDs

LDAP

Creating groups

Adding group member

Removing group member

Deleting groups

AD Searching

#https://blog.stealthbits.com/discovering-service-accounts-without-using-privileges/
$ldapFilter = "(&(objectclass=user)(objectcategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.Searchroot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
$props = "distinguishedname","name","samaccountname","title","department","directreports",
"whencreated","whenchanged","givenname","sn","userprincipalname","adspath","servicePrincipalName"
foreach ($item in $props) {
    $search.PropertiesToLoad.Add($item) | out-null
}
$results = $search.FindAll()
$results | % {}
$GroupName="Domain Admins"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$ldapFilter ="(&(objectCategory=group)(name="+$GroupName+"))"
$search=New-Object directoryservices.DirectorySearcher($domain,$ldapFilter)
$search.SearchScope = "Subtree"
$result=$search.FindAll()
$result | % {(New-Object System.DirectoryServices.DirectoryEntry($_.Path)).Member}

Checking property IsSettable

Get-ADUser "<username>" -Properties * | ForEach-Object {$_.psobject.properties} | Select-Object -Property Name,IsSettable,IsGettable

Common filters

"(&(objectclass=user)(objectcategory=user)(servicePrincipalName=*))" # User accounts with SPN
"(&(objectclass=user)(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" # User accounts with SPN
"(&(objectclass=organisationalUnit)(|(name=*service*)(name=*svc*)))" # User accounts with SPN

UAC – Smart Card Login Enforced on The User
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=262144) )
 
UAC – PWD Never Expires
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))
 
UAC – CAC Enabled Accounts (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=262144)(userPrincipalName=1*@mil))
 
UAC – Not CAC Enabled (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userPrincipalName=1*@mil))

UAC – Users with CAC enabled attributes but not enforced, exclude resource mailboxes (SN=*).
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userPrincipalName=1*@mil)(sn=*)) 

Kerberos Preauthentication Disabled
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=4194304))

Azure

Building systems

Powershell DSC and Azure

Networking

Configuring VPN to Azure network

MSDN Configure Azure VPN

Azure VPN behind NAT

IP Blocking in Azure. In my experience it was not necessary to unlock the section.

Application gateway

Azure Load Balancer

Monitoring and SCOM

Monitoring Windows Azure with System Center Operations Manager 2012 – GET ME STARTED (TechNet Blogs)

How to monitor your Windows Azure application with System Center 2012

SQL

Sql Azure backups

SQL Azure backups

Subscriptions

Best practice for managing subscriptions

PGP Signature Validation

Key servers

In order to validate the EMACS signature:

C:\emacs>gpg --verify emacs-24.3-bin-i386.zip.sig
gpg: Signature made 03/17/13 19:55:46 GMT Standard Time using RSA key ID 597F9E69
gpg: Can't check signature: No public key

C:\emacs>gpg --keyserver keys.gnupg.net --recv-keys 597F9E69
gpg: requesting key 597F9E69 from hkp server keys.gnupg.net
gpg: key 597F9E69: public key "Christoph Scholtes " imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

C:\emacs>gpg --verify emacs-24.3-bin-i386.zip.sig
gpg: Signature made 03/17/13 19:55:46 GMT Standard Time using RSA key ID 597F9E69
gpg: Good signature from "Christoph Scholtes "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6AE2 B5E8 2C9A B871 2FF3  BCA7 587D E7C6 597F 9E69

Note: this validates the signature against the downloaded key, but does not validate the key itself.

Cisco configuration documents

Cisco ASA configuration guides http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

Cisco ASA command reference guides http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html

ASA 5505

VPN

ASDM V7.3 VPN Configuration

Cisco VPN Tutorials

Java web start

javaws https://10.10.10.10/admin/public/asdm.jnlp