Sunday, May 27, 2018

"CredSSP encryption oracle remediation” error when connect via RDP

Updates

Updates which switches a flag to protect against the CredSSP attack.

Operating system, RollUp, Update
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1, KB4103718 (Monthly Rollup) KB4103712 (Security-only update)
Windows Server 2012, KB4103730 (Monthly Rollup), KB4103726 (Security-only update)
Windows 8.1 / Windows Sever 2012 R2, KB4103725 (Monthly Rollup), KB4103715 (Security-only update)
Windows 10 Version 1607 / Windows Server 2016, KB4103723
Windows 10 Version 1703, KB4103731
Windows 10 1709, KB4103727

Solution:

To resolve this issue, the May updates including this patch have to be installed on all Servers and Clients!

Workaround:

If you can´t do this you can apply the following workaround.
Note: After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks.

Updated clients cannot communicate with non-updated servers
If you installed the May Updates on your DC you can apply a GPO to set these settings.
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Setting
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002


Non-updated clients cannot communicate with patched servers
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Setting
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

Monday, May 14, 2018

How to find largest files using Powershell


If your hard drive is running out of space, you need to know which files causing this issue!
To establish this we will use Get-ChildItem.
Use the following command to get the top three files.
Get-ChildItem -r| sort -descending -property length | select -first 3 name, Length



The Length will be displayed in Bytes, if you have large files it´s better to display it in Mega Bytes, so let´s calculate the responding property length into MB.
Get-ChildItem -r|sort -descending -property length | select -first 3 name, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}



Now we get all files, where are these files located? Just select DirectoryName as well, to get it.
Get-ChildItem -r|sort -descending -property length | select -first 3 name, DirectoryName, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}


Thursday, May 3, 2018

Get and set DFS-R primary member

You can use the following command to get and set the DFSR primary member.

Get which DFSR member is primary member
Dfsradmin Membership List /RGname:<replication group name> /attr:MemName,RFName,IsPrimary

Set the primary member for a replication group
dfsradmin Membership Set /RGName:<replication group name> /RFName:<replication folder name> /MemName:<primary member> /IsPrimary:True

Run "dfsrdiag pollad" to update Active Directory configuration.

Wednesday, April 18, 2018

How to find all AD Users with a specidfic profilepath or homeDirectory


If you try to search for a specific homeDirectory or profilepath that are assigned to users, you have to filter on this path.

Therefore, let´s assume you have a DFS share named \\domain.com\DFSShare\User and in this share you have all homeDirectories. To find all users using this path you could expect that you can use a query like this:
Get-ADUser -Filter "homedirectory -like '\\domain.com\DFSShare\User*'" -Properties homedirectory | select samaccountname, homedirectory

If you run this line, the output will be empty, even if some users using this share as homeDirectory.

Why? A network path has backslashes and a backslash „\” is a special character. Therefore, if you filter on those paths, you have to replace every \ with \5c.

For more information check out the following MS article:

If we do that our PowerShell query looks like this:
Get-ADUser -Filter "homedirectory -like '\5c\5cdomain.com\5cDFSShare\5cUser*'" -Properties homedirectory | select samaccountname, homedirectory

Now we see all users that have a homeDirectory located in \\domain.com\DFSShare\User



Thursday, April 5, 2018

Syncing NPS Settings between two servers

If you want to be redundant, you need a second server running NPS with all the settings you need to handle requests of your Radius Clients. Network devices typically allow you to specify multiple Radius Servers in their configuration using a shell or web interface. If you have two servers, you have to define a "Master Radius Server", so you can use this server to do all configuration changes and these changes have to be imported to a second server. You can sync your NPS configuration, manually via GUI or using a PowerShell script that running in a schedule task. Find attached a picture that show this process.




The following script could be used to sync your NPS configuration between two servers. This path C:\admin\NPS\Backup\ must be available on both servers. Just create them or add it to the sript.


# Get date
$date = get-date -Format yyyy_MM_dd
# Export NPS config
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig_$date.xml
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig.xml
# Destination Server
$NPSDestServer = "SecondRadius"
# Copy config to destination server
Copy-Item -path C:\admin\NPS\Backup\NPSConfig.xml -destination \\$NPSDestServer\C$\admin\NPS\NPSConfig.xml
# Export current config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Export-NPSConfiguration -Path C:\admin\NPS\BackupNPSConfig.xml}
# Import new config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Import-NPSConfiguration -Path C:\admin\NPS\NPSConfig.xml}


Just copy this script to your Master Radius, change $NPSDestServer = "SecondRadius" to match to your second NPS server name and create a schedule task that execute this script.

Monday, March 26, 2018