Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store
|
|
- Daniella Rich
- 8 years ago
- Views:
Transcription
1 Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store Mike Middleton Justin Prosco Mandiant, A FireEye Company Mike Middleton Principal Consultant Joined Mandiant in 2010 Forensic, IR, application and network penetration experience Big Yankees fan Attempting to learn guitar This is dog, my human is sleeping. Over. 2
2 Justin Prosco Principal Consultant Joined Mandiant in years of incident response and forensics experience Contributor to Incident Response & Computer Forensics Third Edition 3 Agenda Password Harvesting Techniques from Active Directory Volume Shadow Copy Service (VSS) PowerShell Detecting VSS Password Harvesting Forensic Artifacts and Investigation Techniques Audit Settings Mitigating Password Harvesting Attacks Focus on Windows 2008 &
3 Active Directory Directory Services for Windows Domains Active Directory Data Store ESE (Extensible Storage Engine) file that contains domain user account password hashes Stored on Disk Default Location: %systemroot%\ntds\ntds.dit 5 Password Harvesting Usually involves dumping memory from lsass.exe Typically the best method to obtain account passwords Examples: Mimikatz, Windows Credentials Editor, etc 6
4 Issues for Attackers Involves transferring tools to the remote system Can be detected by Antivirus or HIPS Unsigned code difficult to run on domain controllers using application whitelisting Usually leaves behind forensic evidence of password harvesting 7 Solution: NTDS.DIT If domain controller is secured, take the Active Directory databases for offline password recovery Problem: NTDS.DIT is locked for reading 8
5 Volume Shadow Copy Service Designed to back up files that are in-use First introduced in Windows XP Shadow copies can be created on a regular schedule Windows Task Scheduler Default: No schedule Created when system updates are applied or on application installation 9 Volume Shadow Copy Tools Built-in tools for accessing Volume Shadow Copies: vssadmin: manipulate Volume Shadow Copies ntdsutil: manage the Active Directory Data Store Some backdoors have built-in functionality to control VSS Example: Gh0st RAT Can be manipulated through WMI or PowerShell 10
6 VSS Attack Techniques VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 12
7 Technique: vssadmin Command-line utility for interacting with VSS copies Create a volume shadow copy List the available shadow copies Attack technique has been published since 2011 Mount the shadow copy and take the NTDS.DIT file and SYSTEM registry hive for offline hash extraction Leaves almost no forensic evidence of activity 13 Example: vssadmin Create snapshot: C:\Users\mmiddleton>vssadmin Create Shadow /For=C: vssadmin Volume Shadow Copy Service administrative command-line tool (C) Copyright Microsoft Corp. Successfully created shadow copy for 'C:\' Shadow Copy ID: {cf6b4f72-6e28-4b26-a71c-d518734e9c14} Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65 14
8 Example: vssadmin View snapshots: C:\Users\mmiddleton>vssadmin list shadows /For=C: /shadow:{f1c67cf1-8f3a d9b-eb8a69160d1d} Contents of shadow copy set ID: {f1c67cf1-8f3a d9b-eb8a69160d1d} Contained 1 shadow copies at creation time: 8/25/ :29:35 AM Shadow Copy ID: {cf6b4f72-6e28-4b26-a71c-d518734e9c14} Original Volume: (C:)\\?\Volume{e7e1ba e4-80b5-806e6f6e6963}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65 Originating Machine: gatekeeper.ghostbusters.com Service Machine: gatekeeper.ghostbusters.com Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential 15 Example: vssadmin Mount snapshot: C:\Users\Administrator>mklink /d c:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\ symbolic link created for c:\shadow <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\ Access snapshot: 16
9 Evidence: vssadmin Windows System Event Logs Event ID: 7036 The <service name> service entered the <running/stopped> state. Microsoft Software Shadow Copy Provider : Manages softwarebased shadow copies taken by Volume Shadow Copy The Microsoft Software Shadow Copy Provider service entered the running state. The Volume Shadow Copy service entered the running state. The Microsoft Software Shadow Copy Provider service entered the stopped state. The Volume Shadow Copy service entered the stopped state. 17 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 18
10 WMI Attacks vssown.vbs written by Mark Baggett and Tim Tomes in ndows/vssown.vbs Visual Basic script that automates extraction of password hashes from volume shadow copies using WMI Used by targeted attackers 19 Example: vssown.vbs List Volume Shadow Copies cscript vssown.vbs /list Create Volume Shadow Copies cscript vssown.vbs /create C 20
11 Detection Process Tracking in Security Event Logs (EID 4688): cscript.exe (Windows Script Host) wmiprvse.exe (WMI Provider Host) vssvc.exe (Volume Shadow Copy Service) Volume Shadow Copy service start/stop logged in System Event log (EID 7036) No artifacts for listing shadow copies or mounting existing copies 21 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 22
12 PowerShell Attacks Matt Graeber s PowerSploit: Volume Shadow Copies (VolumeShadowCopyTools.ps1) Access locked files (Invoke-NinjaCopy.ps1) 23 Example: PowerSploit (VolumeShadowCopyTools) Script to mount an existing volume shadow copy: Get-VolumeShadowCopy Mount-VolumeShadowCopy -Path $PWD cp $PWD\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit Creates an NTFS reparse point for mount Attacker might forget to delete this No observable changes in registry or event logs with default logging 24
13 Example: PowerSploit (NinjaCopy) Invoke-NinjaCopy Path C:\Windows\NTDS\ntds.dit LocalDestination C:\Windows\Temp\ntds.dit No Event Log artifacts created powershell.exe process logged with object auditing Command line not logged if called from interpreter No Registry artifacts created Potential Shellbags if attacker browses to copied file using Explorer No File artifacts created Potential INDX records or deleted files created after copy 25 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 26
14 Technique: ntdsutil Command-line utility providing management facilities for AD DS and AD LDS Available on AD DS or AD LDS server roles Including in AD DS for RSAT Used by attackers to create VSS copies 27 Example: ntdsutil Create Snapshot: C:\Users\Administrator>ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: snapshot snapshot: create Creating snapshot... Snapshot set {a45e4063-e4b5-407b-837c-a38d984ce4ae} generated successfully. snapshot: View Snapshots: snapshot: list all 1: 2014/08/19:18:31 {a45e4063-e4b5-407b-837c-a38d984ce4ae} 2: C: {5d3bef1e-09a9-4abe-82cc-c9bccbe6a8c6} 28
15 Example: ntdsutil Mount snapshot: snapshot: mount 1 Snapshot {5d3bef1e-09a9-4abe-82cc-c9bccbe6a8c6} mounted as C:\$SNAP_ _VOLUMEC$\ Access snapshot: 29 Example: ntdsutil As a one liner: ntdsutil "act inst ntds" "snapshot" "create" q q As a one liner with alternative path: ntdsutil "act inst ntds" "ifm" "create full c:\evil" q q 30
16 Example: ntdsutil 31 Evidence: ntdsutil Windows Application Logs Event ID: 2001: lsass (556) Shadow copy instance 2 freeze started. 2003: lsass (556) Shadow copy instance 2 freeze ended. 2005: lsass (556) Shadow copy instance 2 starting. This will be a Full shadow copy. 2006: lsass (556) Shadow copy instance 2 completed successfully. 32
17 Mitigation and Detection 33 Mitigation and Detection Detecting VSS usage through timeline analysis Detailed Process Tracking Leveraging AppLocker Sysinternals Sysmon Mitigation 34
18 Event Log Timeline Timeline analysis and stacking often effective technique Collect evidence Application, Security, System Operational Task Scheduler Others Reduce evidence Identify patterns Remove known legitimate activity Analyze results %systemroot%\system32\winevt\logs\application.evtx %systemroot%\system32\winevt\logs\security.evtx %systemroot%\system32\winevt\logs\system.evtx %systemroot%\system32\winevt\logs\microsoft-windows-taskscheduler%4operational.evtx 35 Reduce Evidence Take a sip from the fire hose Analyze Event IDs 4904 & 4905 from Security log using vssvc.exe 4904: An attempt was made to register a security event source 4905: An attempt was made to unregister a security event source Are these entries normal backups? 36
19 Reduce Evidence Volume configured for shadow copies List of snapshot 37 Reduce Evidence 38
20 Reduce Evidence 39 Reduce Evidence 40
21 Reduce Evidence Event ID Gen Time Log Message :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source. 41 Reduce Evidence Event ID Gen Time Log Message :00:00 Security An attempt was made to register a security event source An attempt 10:00:00 was Security made to An register attempt was a security made to unregister event a source. security event source. Subject : :00:00 Security An attempt was made to register a security event source. Security ID: NT AUTHORITY\SYSTEM :00:00 Account Security Name: An attempt was GATEKEEPER$ made to unregister a security event source :00:00 Account Security Domain: An attempt was GHOSTBUSTERS made to register a security event source. Logon ID: 0x e :00:00 Security An attempt was made to unregister a security event source. Process: :00:00 Process Security ID: An attempt was 0x made to register a security event source :00:00 Process Security Name: An attempt was C:\Windows\System32\VSSVC.exe made to unregister a security event source. Event Source: :00:00 Security An attempt was made to register a security event source. Source Name: VSSAudit :00:00 Event Security Source An ID: attempt was 0x ccbd made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source. 42
22 Reduce Evidence Event ID Gen Time Log Message :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source. Remove entries corresponding :00:00 Security An attempt was made to unregister a security event source. twice daily VSSVC backups :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source. 43 Reduce Evidence Take another sip from the (now) garden hose Determine if Scheduled Tasks run backups Remove any applicable entries HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ShadowCopyVolume{GUID} C:\WINDOWS\Tasks\ShadowCopyVolume{GUID} 44
23 Reduce Evidence Event ID Gen Time Log Message :55:16 Security An account was successfully logged on. New Logon: Security ID: Account Name: Account Domain: Logon ID: GHOSTBUSTERS\Administrator Administrator GHOSTBUSTERS 0x f2df :55:16 Microsoft- Windows- TaskScheduler :55:16 Security An account was logged off. Network Information: Workstation Name: RSTANZ Source Network Address: User "\Administrator" updated Task Scheduler task "\evil Subject: Security ID: Account Name: Account Domain: Logon ID: GHOSTBUSTERS\Administrator Administrator GHOSTBUSTERS 0x f2df 45 Reduce Evidence Event ID Gen Time Log Message :02:00 Microsoft- Windows- TaskScheduler Task Scheduler launch task "\evil", instance "C:\Windows\SYSTEM32\cmd.exe with process ID :02:00 System The Microsoft Software Shadow Copy Provider service entered the running state :02:01 Application Shadow copy instance 1 freeze started :02:01 Application Shadow copy instance 1 starting. This will be a Full shadow copy :02:03 System Volume?? (\Device\HarddiskVolumeShadowCopy63) :02:04 Application Shadow copy instance 1 completed successfully :02:04 Application Shadow copy instance 1 freeze ended. 46
24 Detailed Process Tracking Enable Detailed Process Tracking Security Settings > Advanced Audit Configuration > Detailed Tracking Logged to Security Event Log (EID 4688) Server 2012 R2 - Include command line in process creation events Administrative Templates > System > Audit Process Creation HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Polici es\system\audit:processcreationincludecmdline_enabled (DWORD:1) 47 Detailed Process Tracking 48
25 Detection Using AppLocker Use AppLocker in Audit-Only mode to detect usage of vssdamin and ntdsutil 49 Detection Using AppLocker Blocked applications will generate a warning event in the AppLocker Event Log (EID 8003) Forward Warning level to a SIEM for monitoring 50
26 Caveats AppLocker in enforcement mode Valid Microsoft utilities do not generate Warning level events Requires filtering at SIEM or log forwarder level Attackers may not always use both ntdsutil and vssadmin during an attack Potential evasion of correlation rules Does not record command line arguments 51 Sysinternals Sysmon Released in August 2014 Monitors process creation to its own event log file Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Shows command line arguments by default Provides optional hashes of executed files (MD5/SHA1) Records file creation time changes 52
27 Sysmon Event Example 53 PowerShell Module Logging Requires PowerShell 3.0 Only installed by default on Windows Server 2012 Configured through Group Policy Records commands and resulting output to the PowerShell Operational Event Log (EID 4103) 54
28 PowerShell Module Logging 55 Mitigating These Attacks Restrict Logons to Domain Controllers Only allow interactive logons from Domain Admins Group Use Domain Admins group only for administration of domain controllers Require interactive logons to originate from jump servers with host-based firewall Require two-factor authentication on jump servers Review RDP sessions connecting to DCs Practice Enterprise Password Resets 56
29 Additional Resources Investigating PowerShell Attacks: Microsoft Sysmon: 58
Agenda. Red Team Difference to a Pen Test Common RT Techniques Blue Team
Red Teaming Agenda Red Team Difference to a Pen Test Common RT Techniques Blue Team Disclaimer Red Teaming is a contentious term with no set definition Conceptions vary and can be situated on a scale from
More informationMicrosoft. Jump Start. M11: Implementing Active Directory Domain Services
Microsoft Jump Start M11: Implementing Active Directory Domain Services Rick Claus Technical Evangelist Microsoft Ed Liberman Technical Trainer Train Signal Jump Start Target Agenda Day One Day 1 Day 2
More informationMicrosoft Windows PowerShell v2 For Administrators
Course 50414B: Microsoft Windows PowerShell v2 For Administrators Course Details Course Outline Module 1: Introduction to PowerShell the Basics This module explains how to install and configure PowerShell.
More informationWindows 7, Enterprise Desktop Support Technician
Course 50331D: Windows 7, Enterprise Desktop Support Technician Page 1 of 11 Windows 7, Enterprise Desktop Support Technician Course 50331D: 4 days; Instructor-Led Introduction This four-day instructor-ledcourse
More informationWindows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led
Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led
More informationMS-50292 - MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp
MS-50292 - MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp Table of Contents Introduction Audience At Completion Prerequisites Microsoft Certified Professional Exams Student Materials
More informationHP LeftHand SAN Solutions
HP LeftHand SAN Solutions Support Document Application Notes Backup Exec 11D VSS Snapshots and Transportable Offhost Backup Legal Notices Warranty The only warranties for HP products and services are set
More information"Charting the Course... ... to Your Success!" MOC 50331 D Windows 7 Enterprise Desktop Support Technician Course Summary
Description Course Summary This course provides students with the knowledge and skills needed to isolate, document and resolve problems on a Windows 7 desktop or laptop computer. It will also help test
More informationDriveLock and Windows 7
Why alone is not enough CenterTools Software GmbH 2011 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
More informationInstalling and Configuring Windows Server 2012 MOC 20410
Installing and Configuring Windows Server 2012 MOC 20410 Course Outline Module 1: Deploying and Managing Windows Server 2012 This module introduces the new Windows Server 2012 administrative interface.
More informationWindows" 7 Desktop Support
Windows" 7 Desktop Support and Administration Real World Skills for MCITP Certification and Beyond Darril Gibson WILEY Wiley Publishing, Inc. Contents Introduction xxiii Chapter 1 Planning for the Installation
More information6425C - Windows Server 2008 R2 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Introduction This five-day instructor-led course provides in-depth training on configuring Active Directory Domain Services
More informationConfiguring and Troubleshooting Windows 2008 Active Directory Domain Services
About this Course Configuring and Troubleshooting Windows This five-day instructor-led course provides in-depth training on implementing, configuring, managing and troubleshooting Active Directory Domain
More informationFive Steps to Improve Internal Network Security. Chattanooga ISSA
Five Steps to Improve Internal Network Security Chattanooga ISSA 1 Find Me AverageSecurityGuy.info @averagesecguy stephen@averagesecurityguy.info github.com/averagesecurityguy ChattSec.org 2 Why? The methodical
More information70-685: Enterprise Desktop Support Technician
70-685: Enterprise Desktop Support Technician Course Introduction Course Introduction Chapter 01 - Identifying Cause and Resolving Desktop Application Issues Identifying Cause and Resolving Desktop Application
More informationConfiguring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Active Directory About this Course This five-day instructor-led course provides in-depth training on implementing, configuring, managing and troubleshooting (AD DS) in and R2 environments. It covers core
More informationCourse Description. Course Audience. Course Outline. Course Page - Page 1 of 12
Course Page - Page 1 of 12 Windows 7 Enterprise Desktop Support Technician M-50331 Length: 5 days Price: $2,795.00 Course Description This five-day instructor-led course provides students with the knowledge
More informationConfiguring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Course Details Course Outline Module 1: Introducing Active Directory Domain Services This module provides
More informationICT Professional Optional Programmes
ICT Professional Optional Programmes Skills Team are a Microsoft Academy with new training rooms and IT labs in our purpose built training centre in Ealing, West London. We offer a range of year-long qualifications
More informationCourse 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
www.etidaho.com (208) 327-0768 Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services 5 Days About this Course This five-day instructor-led course provides in-depth
More informationWindows 7, Enterprise Desktop Support Technician
Windows 7, Enterprise Desktop Support Technician Course Number: 70-685 Certification Exam This course is preparation for the Microsoft Certified IT Professional (MCITP) Exam, Exam 70-685: Pro: Windows
More informationMS-6425C - Configuring Windows Server 2008 Active Directory Domain Services
MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services Table of Contents Introduction Audience At Clinic Completion Prerequisites Microsoft Certified Professional Exams Student Materials
More information20410: Installing and Configuring Windows Server 2012
20410: Installing and Configuring Windows Server 2012 Microsoft - Servidores Nível: Intermédio Duração: 30h Sobre o curso After completing this course, students will be able to: Install and configure Windows
More informationExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days
ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days Introduction This five-day instructor-led course provides in-depth training
More informationFORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI
FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHOR S AND DOES NOT NECESSARILY REPRESENT THE
More information50331D Windows 7, Enterprise Desktop Support Technician (Windows 10 Curriculum)
This course can be purchased by authorized Microsoft Learning Centers at the Courseware Marketplace web-site. Microsoft Certified Trainers (MCTs) can get a free copy at the same website. About the Course
More informationNE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Domain Services Summary Duration Vendor Audience 5 Days Microsoft IT Professionals Published Level Technology 02 June 2011 200 Windows
More informationMS 20410 Installing and Configuring Windows Server 2012
P a g e 1 of 10 MS 20410 Installing and Configuring Windows Server 2012 About this Course This course is part one of a three-part series that provides the skills and knowledge necessary to implement a
More informationModule 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.
CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! 50331 - Windows 7, Enterprise Desktop Support Technician Duration: 5 days About this Course This five-day
More information20410- Installing and Configuring Windows Server 2012
Course Outline 20410- Installing and Configuring Windows Server 2012 Duration: 5 day (30 hours) Target Audience: This course is intended for Information Technology (IT) Professionals who have good Windows
More informationInstalling and Configuring Windows Server 2012
Course 20410D: Installing and Configuring Windows Server 2012 Course Details Course Outline Module 1: Deploying and Managing Windows Server 2012 This module introduces students to the editions of Windows
More informationConfiguring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425 Course Outline Module 1: Introducing Active Directory Domain Services This module provides an overview of Active Directory
More informationCourse 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Length: 5 Days Published: June 02, 2011 Language(s): English Audience(s): IT Professionals Level: 200
More informationCourse Outline: Course 20410- Installing and Configuring Windows Server 2012
Course Outline: Course 20410- Installing and Configuring Windows Server 2012 Learning Method: Instructor-led Classroom Learning Duration: 5.00 Day(s)/ 40 hrs Overview: The course is part one of a series
More information6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Course Details Course Code: Duration: Notes: 6425C 5 days This course syllabus should be used to determine whether
More informationSQL Server Hardening
Considerations, page 1 SQL Server 2008 R2 Security Considerations, page 4 Considerations Top SQL Hardening Considerations Top SQL Hardening considerations: 1 Do not install SQL Server on an Active Directory
More informationCA ARCserve and CA XOsoft r12.5 Best Practices for protecting Microsoft Exchange
CA RECOVERY MANAGEMENT R12.5 BEST PRACTICES CA ARCserve and CA XOsoft r12.5 Best Practices for protecting Microsoft Exchange Overview Benefits The CA Advantage The CA ARCserve Backup Support and Engineering
More informationConfiguring Windows Server 2008 Active Directory
Configuring Windows Server 2008 Active Directory Course Number: 70-640 Certification Exam This course is preparation for the Microsoft Technical Specialist (TS) exam, Exam 70-640: TS: Windows Server 2008
More informationRed vs. Blue: Modern Active Directory Attacks, Detection, & Protection
Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf (@PyroTek3) CTO, DAn Solutions sean [@] dansolutions _._com http://dansolutions.com http://www.adsecurity.org ABOUT Chief
More informationCourse 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Five Days, Instructor-Led About this course This five-day instructor-led course provides in-depth training
More informationInstalling and Configuring Windows Server 2012
Course 20410D: Installing and Configuring Windows Server 2012 Page 1 of 8 Installing and Configuring Windows Server 2012 Course 20410D: 4 days; Instructor-Led Introduction Get hands-on instruction and
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationInstalling and Configuring Windows Server 2012
Course 20410 Installing and Configuring Windows Server 2012 Length: 5 Days Language(s): English Audience(s): IT Professionals Level: 200 Technology: Windows Server 2012 Type: Course Delivery Method: Instructor-led
More informationCourse 6425C: Five days
CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Course 6425C: Five
More informationPassword Manager Windows Desktop Client
Password Manager Windows Desktop Client EmpowerID provides an extension that allows organizations to plug into Password Manager to customize the Windows logon experience beyond that supplied by the standard
More informationWindows 7: Current Events in the World of Windows Forensics
Windows 7: Current Events in the World of Windows Forensics Troy Larson Senior Forensic Program Manager Network Security, Microsoft Corp. Where Are We Now? Vista & Windows 2008 BitLocker. Format-Wipes
More informationActive Directory 2008 Operations
The Essentials Series Active Directory 2008 Operations sponsored by by Greg Shields Understanding Active Directory Recovery in Windows Server 2008...1 Backing Up AD...1 Full Server Recovery of a Domain
More informationExam 70-410: Installing and Configuring Windows Server 2012
Exam 70-410: Installing and Configuring Windows Server 2012 Course Overview This course is part one, of a series of three courses, which validate the skills and knowledge necessary to implement a core
More informationWindows Server. Introduction to Windows Server 2008 and Windows Server 2008 R2
Copyright 2006-2013 MilliByte SS Windows Server DƏRS Introduction to Windows Server 2008 and Windows Server 2008 R2 Functionality of Windows Server 2008 Windows Server 2008 Editions 1 Microsoft Hyper-V
More informationActivity 1: Scanning with Windows Defender
Activity 1: Scanning with Windows Defender 1. Click on Start > All Programs > Windows Defender 2. Click on the arrow next to Scan 3. Choose Custom Scan Page 1 4. Choose Scan selected drives and folders
More informationManaging Windows Environments with Group Policy 50255D; 5 Days, Instructor-led
Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led Course Description In this course you will learn how to reduce costs and increase efficiencies in your network. You will discover
More informationLog Management and Intrusion Detection
Log Management and Intrusion Detection Dr. Guillermo Francia,, III Jacksonville State University Prerequisites Understand Event Logs Understand Signs of Intrusion Know the Tools Log Parser (Microsoft)
More informationWeb. Security Options Comparison
Web 3 Security Options Comparison Windows Server 2003 provides a number of Security Options that can be applied within the scope of managing a GPO. Most are the same as those available in Windows 2000.
More informationHow to monitor AD security with MOM
How to monitor AD security with MOM A article about monitor Active Directory security with Microsoft Operations Manager 2005 Anders Bengtsson, MCSE http://www.momresources.org November 2006 (1) Table of
More informationNew Zealand National Cyber Security Centre
Unclassified New Zealand National Cyber Security Centre Application Whitelisting With Microsoft Applocker June 2012 V1.0.5 Application Whitelisting with Microsoft Applocker Cyber Security Plan As outlined
More informationConfiguring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Course Code: M6425 Vendor: Microsoft Course Overview Duration: 5 RRP: 2,025 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Overview This five-day instructor-led course
More informationDriveLock and Windows 8
Why alone is not enough CenterTools Software GmbH 2013 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
More informationTable Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10
Table Of Contents - - WINDOWS SERVER 2003 MAINTAINING AND MANAGING ENVIRONMENT...1 WINDOWS SERVER 2003 IMPLEMENTING, MANAGING & MAINTAINING...6 WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS
More informationInstalling and Configuring Windows Server 2012
Course 20410B: Installing and Configuring Windows Server 2012 Length: 5 Days Audience(s): IT Professionals Level: 200 Technology: Windows Server 2012 Overview About this Course This course is part one
More informationUNIT 5 ADDITIONAL PROJECTS BEFORE YOU BEGIN. Installing a Replica Domain Controller. You want to improve fault tolerance and performance on
UNIT 5 ADDITIONAL PROJECTS BEFORE YOU BEGIN The RODC must be configured to use the RWDC as its Preferred DNS Server. Active Directory is installed on the RWDC. The RODC must be a member server within the
More informationfinding malware on compromised Windows machines
S TEVEN ALEXANDER finding malware on compromised Windows machines Steven is a programmer for Merced College. He manages the college s intrusion detection system. alexander.steven@sbcglobal.net This article
More informationH A N D L E I D I N G ONLINE BACKUP VSS - troubleshooting
FAQ: How to troubleshoot problem with Volume Shadow Copy? Pro d u c t Ve rsio n : ClearMedia ACB / OBM: All OS: Windows De sc rip tio n : Exclusively opened file on a local hard disk cannot be backed up,
More information70-640 R4: Configuring Windows Server 2008 Active Directory
70-640 R4: Configuring Windows Server 2008 Active Directory Course Introduction Course Introduction Chapter 01 - Installing the Active Directory Role Lesson: What is IDA? What is Active Directory Identity
More informationTestOut Course Outline for: Windows Server 2008 Active Directory
TestOut Course Outline for: Windows Server 2008 Active Directory CONTENTS: Videos: 61 (5:06) Demonstrations: 72 (6:38) Simulations: 61 Fact Sheets: 105 Exams: 47 0.0 Active Directory Overview 0.1 Active
More informationNIIT Education and Training, Doha, Qatar - www.niitqatar.com Contact: +974-44551796/1798; 50656051
410: Installing and Configuring Windows Server 2012 Duration: 40 Hours. Overview About this Course Get hands-on instruction and practice installing and configuring Windows Server 2012, including Windows
More informationSymantec NetBackup Blueprints
Symantec NetBackup Blueprints Blueprint for Microsoft Active Directory Symantec Education Services Symantec NetBackup Blueprints 1 Symantec NetBackup Blueprints FEEDBACK FEEDBACK Please hide this slide
More informationAV-006: Installing, Administering and Configuring Windows Server 2012
AV-006: Installing, Administering and Configuring Windows Server 2012 Career Details Duration 105 hours Prerequisites This course requires that student meet the following prerequisites, including that
More informationMCSA Server (Exam 70-410)
MCSA Server (Exam 70-410) Installing and Configuring Windows Server 2012 Get hands-on instruction and practice installing and configuring Windows Server 2012, including Windows Server 2012 R2, in this
More informationInstalling, Configuring, and Managing a Microsoft Active Directory
Installing, Configuring, and Managing a Microsoft Active Directory Course Outline Part 1: Configuring and Managing Active Directory Domain Services Installing Active Directory Domain Services Managing
More informationLT Auditor+ 2013. Windows Assessment SP1 Installation & Configuration Guide
LT Auditor+ 2013 Windows Assessment SP1 Installation & Configuration Guide Table of Contents CHAPTER 1- OVERVIEW... 3 CHAPTER 2 - INSTALL LT AUDITOR+ WINDOWS ASSESSMENT SP1 COMPONENTS... 4 System Requirements...
More informationMicrosoft Virtual Labs. Active Directory New User Interface
Microsoft Virtual Labs Active Directory New User Interface 2 Active Directory New User Interface Table of Contents Active Directory New User Interface... 3 Exercise 1 User Management and Saved Queries...4
More informationNetSpective Logon Agent Guide for NetAuditor
NetSpective Logon Agent Guide for NetAuditor The NetSpective Logon Agent The NetSpective Logon Agent is a simple application that runs on client machines on your network to inform NetSpective (and/or NetAuditor)
More informationFive Steps to Improve Internal Network Security. Chattanooga Information security Professionals
Five Steps to Improve Internal Network Security Chattanooga Information security Professionals Who Am I? Security Analyst: Sword & Shield Blogger: averagesecurityguy.info Developer: github.com/averagesecurityguy
More informationCourse 20410: Installing and Configuring Windows Server 2012
Course 20410: Installing and Configuring Windows Server 2012 Type:Course Audience(s):IT Professionals Technology:Windows Server Level:200 This Revision:D Delivery method: Instructor-led (classroom) Length:5
More informationVERITAS Backup Exec TM 10.0 for Windows Servers
VERITAS Backup Exec TM 10.0 for Windows Servers Quick Installation Guide N134418 July 2004 Disclaimer The information contained in this publication is subject to change without notice. VERITAS Software
More informationNETWRIX ACCOUNT LOCKOUT EXAMINER
NETWRIX ACCOUNT LOCKOUT EXAMINER ADMINISTRATOR S GUIDE Product Version: 4.1 July 2014. Legal Notice The information in this publication is furnished for information use only, and does not constitute a
More informationInstalling and Configuring Windows Server 2012
Course Code: M20410 Vendor: Microsoft Course Overview Duration: 5 RRP: 2,025 Installing and Configuring Windows Server 2012 Overview Get hands-on instruction and practice installing and configuring Windows
More informationIntegrating LANGuardian with Active Directory
Integrating LANGuardian with Active Directory 01 February 2012 This document describes how to integrate LANGuardian with Microsoft Windows Server and Active Directory. Overview With the optional Identity
More informationNOTE: Labs in this course are based on the General Availability release of Windows Server 2012 R2 and Windows 8.1.
Course 20410C: Installing and Configuring Windows Server 2012 OVERVIEW About this Course Get hands-on instruction and practice installing and configuring Windows Server 2012, including Windows Server 2012
More informationAdvanced Diploma In Hardware, Networking & Server Configuration
Advanced Diploma In Hardware, Networking & Server Configuration Who should do this course? This course is meant for those persons who have a dream of getting job based on Computer Hardware, Networking
More informationCourse Outline. Configuring, Managing & Maintaining Windows 2008 Server. Course Description: Pre-requisites:
Configuring, Managing & Maintaining Windows 2008 Server Course Description: This five-day instructor-led course combines five days worth of instructor-led training content from the Network Infrastructure
More informationUnderstanding Task Scheduler FIGURE 33.14. Task Scheduler. The error reporting screen.
1383 FIGURE.14 The error reporting screen. curring tasks into a central location, administrators gain insight into system functionality and control over their Windows Server 2008 R2 infrastructure through
More informationConfiguring WMI on Windows Vista and Windows Server 2008 for Application Performance Monitor
Configuring WMI on Windows Vista and Windows Server 2008 for Application Performance Monitor Revised 1/22/2008 Requirements...1 Checking Application Performance Monitor Credentials Group Memberships...1
More informationStep-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition
Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition The installation of Lync Server 2010 is a fairly task-intensive process. In this article, I will walk you through each of the tasks,
More informationAPT Detection with Whitelisting and Log Monitoring
APT Detection with Whitelisting and Log Monitoring Aaron Beuhring Kyle Salous About Us Kyle Salous is a 10-year Info Sec vet, covering a broad spectrum of subjects. He has a BS in Information Security
More informationWindows 7, Enterprise Desktop Support Technician
MS50331 Längd: 5 dagar Windows 7, Enterprise Desktop Support Technician Detta är den bredaste, mest djuplodande kursen för dig som arbetar som Supporttekniker och behöver vara champion på Windows när frågorna
More informationIT Test - Server Administration
Question: 1 You have a server named Server1 that runs Windows Server 2012. Server1 has the Hyper-V server role installed. You have fixed-size VHD named Files.vhd. You need to make the contents in Files.vhd
More informationPass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell
Pass-the-Hash II: Admin s Revenge Skip Duckwall & Chris Campbell Do you know who I am? Skip Co-presented PTH talk last year at BH, Derbycon http://passing-the-hash.blogspot.com @passingthehash on twitter
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationUnderstand Troubleshooting Methodology
Understand Troubleshooting Methodology Lesson Overview In this lesson, you will learn about: Troubleshooting procedures Event Viewer Logging Resource Monitor Anticipatory Set If the workstation service
More informationTECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.
page 1 of 11 The following information is provided as a service to our users, customers, and distributors. ** If you are just beginning the process of installing PIPSPro 4.3.1 then please note these instructions
More informationAcronis Backup & Recovery 10 Server for Windows. Installation Guide
Acronis Backup & Recovery 10 Server for Windows Installation Guide Table of Contents 1. Installation of Acronis Backup & Recovery 10... 3 1.1. Acronis Backup & Recovery 10 components... 3 1.1.1. Agent
More information20410 Installing and Configuring Windows Server 2012
20410 Installing and Configuring Windows Server 2012 Audience Profile This course is intended for information technology (IT) professionals who have some knowledge and experience working with Windows operating
More informationHyper-V Protection. User guide
Hyper-V Protection User guide Contents 1. Hyper-V overview... 2 Documentation... 2 Licensing... 2 Hyper-V requirements... 2 2. Hyper-V protection features... 3 Windows 2012 R1/R2 Hyper-V support... 3 Custom
More informationHow to troubleshoot Microsoft Volume Shadow copy Service errors
Macrium Reflect uses a Microsoft service called Volume Shadow copy Service to enable disk images to be created and files to be backed up when in use. When VSS fails it can sometimes mean that you are unable
More informationVoipSwitch Security Audit
VoipSwitch Security Audit Security audit was made at 1 st January 2013 (3.00 PM 10.00 PM UTC +1) by John Doe who is Security Advisor at VoipSwitch Company. Server's IP address : 11.11.11.11 Server has
More informationIBM WebSphere Application Server Version 7.0
IBM WebSphere Application Server Version 7.0 Centralized Installation Manager for IBM WebSphere Application Server Network Deployment Version 7.0 Note: Before using this information, be sure to read the
More informationMS-6416D: Updating Your Windows Server 2003 Technology Skills to Windows Server 2008
MS-6416D: Updating Your Windows Server 2003 Technology Skills to Windows Server 2008 Description This five-day instructor-led course teaches the features and technologies of Windows Server 2008 and Windows
More informationSnapManager 7.0 for Microsoft Exchange Server
SnapManager 7.0 for Microsoft Exchange Server Installation and Administration Guide NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501 Support
More informationBackup and Disaster Recovery Restoration Guide
Backup and Disaster Recovery Restoration Guide Page 1 Table of Contents Table of Contents...2 Terms of Use...3 BDR...4 Creating Point-in-Time Restoration Volumes...4 Mounting a Restoration Volume...4 Dismounting
More information