tag:blogger.com,1999:blog-17224480040856080502024-03-19T15:31:16.243+08:00Nathan's Thoughts and NotesIT tools and solutions, and thoughts on life.Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.comBlogger189125tag:blogger.com,1999:blog-1722448004085608050.post-23641622699848922782023-08-20T10:01:00.002+08:002023-08-20T10:02:10.836+08:00Splitting AD integrated reverse DNS zonesIf you have an environment with a reverse dns zone that was created with broad network range, you may decided at a later point in time that you want to split the zone. The reasons for this might be: ease of management in terms of loading the zone in the dns management console, easier to find records, requring differences in record age and scavenging control, etc. For a zone that is AD Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-64905606011690149522023-04-25T11:52:00.002+08:002023-04-25T11:52:48.054+08:00Defender for Identity agent problemsI've run in to a few issues with Azure Advanced Threat Protection Sensor services not starting (aka Defender for Identity). Here are a few tips to work through various issues.
Problem #1, service failing to start due to files not found. The updater service will auto update the agent version. If you look at the program's directory "C:\program files\Azure Advanced Threat Protection Sensor", youNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-61727157771398042252023-04-25T11:37:00.000+08:002023-04-25T11:37:02.412+08:00Windows Firewall - network card not detecting the correct connection profileFor people familiar with Windows firewall, there are 3 profiles that you can create rules for: Private, Public, and Domain. The operating system uses the Network Location Awareness service (NLAsvc) to attempt to identify what type of connection each NIC is on. If you machine is domain joined to an Active directory on-prem domain, it will make connection attempts to domain controllers to see ifNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-58366669562486474542022-06-23T13:23:00.004+08:002023-04-19T15:09:28.395+08:00PetitPotam DefensesProtection against coerced authentication on domain controllers:
Print Spooler:
Disable the service via group policy on all DC's
EFS RPC attack:
Create the two RPC filters by putting this in a text file (source):
rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter
add rule layer=um actiontype=block
add Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-63445912468093928362022-02-17T12:05:00.006+08:002022-02-17T12:05:45.037+08:00Creating virtual smart card for MIM CMTo use a virtual card on existing profiles that prompt for pin in the certificate manager portal site, use this to create the virtual card:
tpmvscmgr create /name myvsc /pin prompt /adminkey default /generate
When prompted for default admin key, use: 010203040506070801020304050607080102030405060708
When prompted for pin, it will need to be 8 characters long even if it says it can be less thanNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-20675328609968496032021-12-29T09:36:00.003+08:002021-12-29T09:37:03.334+08:00Finding expiring certificates in your CAA while ago, I was working on a method of discovering and creating alerts for expiring smartcards. While looking at some of the various methods to pull details from FIM certificate manager or the AD certificate services CA that issues the certs, I ended up goinig with certutil as the tool of choice for pulling the data. The build in filtering of the results helped give the ability to Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-60891669028040888112021-09-28T20:40:00.009+08:002021-09-28T20:58:47.541+08:00Task scheduler repeat popup "task scheduler service is not available. Verify the service is running."Recently I noticed a few different errors on task scheduler on some machines that had gone through in place operating system upgrades from Windows 2008 to Windows 2016. After the upgrade, when opening the task scheduler gui tool, it either gave popup messages repeatedly saying the service was not available despite the service being started. Clicking through many of these, it would eventually Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-42872247225950748492021-09-28T20:31:00.000+08:002021-09-28T20:31:00.195+08:00Capturing unique simple bind or unsigned ldap queries from a domain controllerUsing get-winevent in powershell with XML filter, you can grab the 2889 events from the directory services log. These contain the username, and source IP. With some custom defined attributes within select-object along with an array, you can filter this down to unique connections.
$query = @"
<QueryList>
<Query Id="0" Path="Directory Service">
<Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-49188778439404110492021-08-05T10:20:00.003+08:002021-08-05T10:20:35.074+08:00Quick way to find all OU's in a domain that block gpo inheritenceUsing bitwise and on the gpotions attribute of organizational Unit objects. This will run in seconds compared to attempting to use higher level functions like get-adorganizationalunit in combination with get-gpinheritance.
get-adobject -ldapfilter "(&(objectclass=organizationalunit)(gpoptions:1.2.840.113556.1.4.803:=1))"Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-56566781791944598402020-11-06T13:04:00.006+08:002020-11-06T14:00:50.580+08:00AWS script launch ec2 instance in various regions for short term command execution I'm in the process of doing some service provider evaluation that requires some network tests to be run from various locations around the world. Using vpn's might provide a way to do this, but I've been playing around with AWS lately, so I thought I would give EC2 scripting a try. The code below was created for Powershell with AWS modules on a Linux machine. The basic Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-1590422504427419282020-10-21T12:12:00.004+08:002020-10-22T09:21:12.427+08:00AWS storage gateway quick and easy lab I've been doing some studying of the AWS sysop exam areas. Storage gateway seemed like a very interesting and useful tool that many organizations are quickly place in their environment for file storage provisioning or storage capacity expansion. I didn't go to in depth on this, however I was able to deploy a storage gateway, a windows AD domain, an NFS share off the gateway, do Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-15381503078100914032020-10-21T09:29:00.002+08:002020-10-21T09:29:12.114+08:00Convert p7b file to CER/PEM/CRT with microsoft gui tools Doubleclick the p7b file to open it, expand all the folders. In the list of certificates, you might see multiple certificates, as p7b files can be a collection of certificates, which often include the full chain of certificates up to the root. When converting to a CER, PEM, or CRT file, we are making a file with one certificate in it, so you need to select the specific cert you Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-5836457638929879302020-03-04T10:24:00.001+08:002021-12-29T09:37:29.092+08:00End to end network latencyWhen it comes to testing connectivity and latency, I've noticed that many IT technicians don't seem to have any tools in their skill set that go beyond a ping. While that works in many situations, there are often situations where ICMP traffic (including ping) is blocked. At this point, connectivity testing skill set often falls down to a telnet command to the port to see if its open, instead ofNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-33048047113224216462019-11-04T11:22:00.002+08:002019-11-04T11:22:51.549+08:00FIM CM / MIM CM Certificate Management service account certificate renewalsreferences:
https://docs.microsoft.com/en-us/previous-versions/mim/hh149034(v=ws.10)
https://blogs.technet.microsoft.com/iamsupport/2016/08/03/support-tip-fim-cm-2010-mim-cm-2016-admin-key-diversification-and-certificate-renewal/
Internally FIM/MIM Certificate management has 5 service accounts. 3 of these accounts have certificates stored within their personal certificate store on Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-54590614235255555522019-11-04T10:52:00.002+08:002019-11-04T10:53:05.068+08:00Service Account password resets for FIM CM / MIM CM service accountsMicrosoft's identity manager - Certificate management product has several different service accounts associated with its internal functions as well as an IIS application pool account. For best practices, it is always good to periodically change service account passwords. For this product, the account passwords are not configured on windows services, or other easily identifiable Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-70368972757022102692019-11-04T10:24:00.000+08:002019-11-04T10:24:31.369+08:00How to pull a full list of users to certificates and card mappings from FIM CM / MIM CMIf you want to collect a report that combines usernames to certificate serial numbers, linked to the card serial number, along with the date the card was issued, you can use this query on your FIM CM database:
Select
u.unc_user_nt4_name, c.cert_issued_serial_number, s.sc_serial_number,
s.sc_manufacturer_id, q.req_submitted_dt,
replace(replace(replace(replace(replace(s.sc_status,'1','Assigned'), Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-994869023350562912019-09-26T11:00:00.002+08:002019-09-26T11:00:32.968+08:00FIM or MIM certificate manager client tracing (Cmclient)I have found that most of the posts you can find regarding setting up trace logging on the CM Client side don't really work. These are the steps that MS provided to me in a recent case.
1) Open regedit
a) create key: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CLM\adk]
b) create key: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CLM\adkNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-22028573573370512802019-09-26T10:44:00.000+08:002019-09-26T10:45:04.050+08:00FIM/MIM certificate manager, can't enroll due to wrong number of attributesCertificate manager can be picky about x86 and x64 versions of Internet Explorer and the CM client software. In the past, I've had cases where the x64 client needed to be installed and x64 IE used. Other times both needed to be x86. Recently I hit this "wrong number of arguments" error while issuing a card in a newly built environment. The issue was resolved by running theNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-11519788340248906492019-09-26T10:38:00.002+08:002019-09-26T10:38:22.935+08:00Upgrade FIM 2010R2 Certificate Manager to MIM 2016 SP1I recently ran this scenario through a lab, where I had a Windows 2008R2 server with a FIM 2010R2 instance at a pretty low patch level, along with a cm client installed on the same machine. Going through the upgrade, I followed roughly these steps:
1) Upgrade of the FIM 2010R2 server components to the last released patch level (4.1.3766.0). This step may not have been necessary, but Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-59528612701629533262019-05-08T11:41:00.002+08:002021-12-29T09:38:00.382+08:00AD groups - setting group owner and delegating permission with powershellGiven that permissions delegation is only a simple checkbox in the AD users and computers tool under the manager's name, it would be nice if set-adgroup had a similar functionality. There are several steps involved in delegating rights, and if the owner is being changed, typically the old owner's rights should be removed. With this script below, it should accomplish this at least on a single Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-61870708879403415912019-03-07T09:32:00.003+08:002020-12-03T10:15:29.068+08:00Restricted windows logon for kids - browser kioskWhenever kids seem to want to use the computer for homework or studying, they quickly drift off into other activities and develop super senses to hear the coming of a parent in order to click all the non-study related content away. So I looked into possible ways to restrict to specific sites or apps. Lets assume we're looking at restricting kids to only access Khan Academy for study Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-21608220225769771742019-02-28T15:02:00.000+08:002019-02-28T15:45:29.938+08:00SSML google text to voice vs Amazon AlexaAfter some work on Alexa flash briefing skills and testing reading of speech with foreign words in it, this lead me down the path of having to use text to speech with ssml to create mp3's of approximately what I had wanted originally. Below are some of my findings in the differences of Amazon alexa/polly vs google text to speech.
Amazon
Prosody tags on individual words are fine and don'tNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-84995943662815338372019-02-28T14:54:00.005+08:002019-02-28T14:54:55.215+08:00Linux mint (KDE) network manager inactiveOne of my lab vmware vm's running mint 18.2 KDE version recently lost all network connectivity. Usually I suspend the machine everytime I'm powering off the host to keep all my applications and tools in the same state that I left this. This time when restoring it, it went through a normal OS bootup. After logging in, the network manager tray icon was showing no connections and aNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-32069424934313752312018-07-18T14:56:00.003+08:002018-07-18T14:56:38.913+08:00Browser video problem, media_error_unknown, ssl_error_rx_record_too_longMy wife recent brought her macbook to me with a problem that suddenly popped up. Pretty much every website that had embedded video in it, other than youtube, was suddenly not working. The media player plugins were showing various errors, one of which was media_error_unknown. I opened chrome's developer tools for a better look at the errors. There were a few that indicated there might be a Nathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0tag:blogger.com,1999:blog-1722448004085608050.post-32698628037322806912018-05-28T12:39:00.001+08:002018-12-13T15:02:49.418+08:00Useful FIM/MIM links1) setting up warm standby sync server
2) MIM team community user group
3) MIMWAL extension utility for FIM/MIM workflows
4) Creating rules extensions for MA.
5) Carol's code examples
6) lithnet github. Powershell modules, auto scheduler for run profiles, MA connectors and other useful stuff. Don't trust this tool for joins, and possibly write operations. It works at too low of a level andNathan Linleyhttp://www.blogger.com/profile/05564124143656054803noreply@blogger.com0