This year on the Microsoft Ignite conference Microsoft announced the modern replacement for MMC and ServerManager.
It is called Honolulu: https://docs.microsoft.com/en-us/windows-server/manage/honolulu/honolulu
Also Microsoft ranted about Admins using RDP for Administration. “It was never designed for it. Those admins should read the documentation. It states, it allows two channels only for emergency administration. But that problem will fix itself, as we discontinue the gui on servers. Also if you want to Administer GPOs for Windows 10 clients you have to do that form a Windows 10 client, as some settings are not available on a Server-Type OS.”
Also Microsoft once again urges Admins not to use Jump hosts, but instead Implement PAW (aka. SAW).
PAW (Privileged Admin Workstation) or SAW (Secure Admin Workstation) is an advanced security concept for admins.
It’s key features are:
- Isolated Environments, day-to-day stuff like e-mail or webbrowser don’t have access to privileged sessions or applications. In fact they don’t know that those exist at all.
- Does not need special hardware, it only needs a Computer with an TPM and uefi (and even those are not mandatory, but highly recommended)
- At minimum two OSes running in parallel, recommended is one per tier.
Credential Guard enabled
- Windows Defender Application Guard enabled
Other things to consider:
- Tier 0 Admins should be blocked access to Tier 1 and Tier 2 *¹
- Tier 1 Admins should be blocked access to Tier 0 and Tier 2 *¹
- Tier 2 (Workstation) Admins should be blocked access to Tier 0 and Tier 1 *¹
- Only PAW/SAW allow local logon for Admins, but Applocker blocks Windows Logon for admins, so only UAC elevation works (windows hello with fingerprint for elevation, recommended).
- LAPS should be installed everywhere
- Recommended Applocker Rules Video 01:15:40 (only about 12 Rules)
- Use IPSec, every client and every server should communicate over IPSec, so having physical access to the network is non compromising (works for everything after Windows 2000).
Use Exploit Guard (former EMET)
- IPSec with ESP and AH (IPv6) and IPSec with ESP for IPv4 if there is (or could be) a NAT
- Use Device Guard for single purpose machines like ATMs, except if admins are bored (as high administrative effort is required)
- Look at ESAE
- Look at Protected Accounts
- Disable RDP. Only use Remote Administration through WinRM (PowerShell), as that does not allow Credential Theft
- Disable NTLM authentication for Shared folders (access by IP-Address), as NTLM makes Credential Theft easy.
- Enable SMB Encryption (or IPSec), as requests can be intercepted otherwise.
- Maybe add PIN auth to bitlocker in addition to TPM
- Restrict outgoing Connections (also the destinations) using Windows Firewall (through GPO recommended)
- Use Kerberos
- Block Internet Access from Secure context, that requires:
- Having an internal WSUS
- Having an KMS for Windows (Re-)Aktivaton
- Having an internal PowerShell Help-Server, to update PowerShell command help *²
- Having an internal PowerShell Script and Modules repository *²
- Use TOTP (RFC6238) for your APS.NET Core stuff 2nd video at 17:31
- Don’t use SMS or E-Mail for Two Factor auth
Summary Talk about Security concerns
- Mastering the lions PAW: How to build a privileged access workstation | BRK3286
- Security and identity in ASP.NET Core | BRK3283
*¹: (Deny: “Access to computer from the network”, “logon as a batch job”, “log on as a service”, “log on locally”, “log on through terminal services”)
*²: Recommended for administrative support, by me.
Recently I’ve been playing around with the new Hyper-V Nested Virtualization feature within Windows 10 (build 10565 and greater) and Windows Server 2016. It is pretty cool to be able to creat…
Quelle: Install a VMWare ESXi 6.0 Hypervisor in a Hyper-V VM
Hyper-V Nested Virtualization
Part 1 – Prepare the ESXi ISO
Install VMWare PowerCLI: https://my.vmware.com/group/vmware/get-download?downloadGroup=PCLI630R1
Download ESXi-Customizer PowerShell Skript: http://www.v-front.de/p/esxi-customizer-ps.html#download and place it in D:\ESXi-Hyper-V
Enter the following commands:
.\ESXi-Customizer-PS-v2.5.ps1 -v60 -vft -load net-tulip
Part 2 – Create the Hyper-V VM
– Generation 1
– Startup Memory > 4096 MB
– Use Dynamic Memory for this Virtual Machine: $false
– Virtual Hard Disk: >10 GB
– Install an operating system from a bootable CD/DVD-ROM
– Image ile (.iso): select the in Part 1 generated iso
Now edit the Settings of the ESXi VM:
– Processor: 2
– Remove the “Network Adapter”
– Add a “Legagy Network Adapter”
– Select a Virtual Switch
– Save the settings
Part 3 – Enable Nested Virtualization
– Open PowerShell and write:
Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true;
Get-VMNetworkAdapter -VMName <VMName> | Set-VMNetworkAdapter -MacAddressSpoofing On;
Part 4 – Boot ESXi Virtual Machine
– At the Bootscreen of the installation Media quickly press “Tab” and append “ignoreHeadless=TRUE” at the end of the Boot Options.
– Complete the setup process.
– Remove the installation disk and press “Enter” to reboot.
Part 5 – Configure the ESXi Boot Options:
– At the boot menue quickly press SHIFT+O and add the “ignoreHeadless=TRUE” Boot Option.
– After ESXi has started, press F2 and navigate to “Troubleshooting Options” => “Enable ESXi Shell”
– Press ALT+F1 to switch to the ESXi Shell
– Login to the shell
– Execute esxcfg-advcfg –set-kernel “TRUE” ignoreHeadless
– After that press STRG+D to logoff.
– Now press ALT+F2 to switch back to the GUI.
– Optionally turn off ESXi Shell.
– Esc out off the Options menu.
Now you have a fully funktional ESXi Host within a Hyper-V Virtual Machine. It should be noted, that this setup is not supported neither by VMWare nor by Microsoft.
- Google Fonts
Some fonts are fetched from Google. So Google can create a list of nearly all pages a user visited. To disable this, you have to install the Plug-in “Disable Google Fonts”
The emojis are pictures (instead of characters) from s.w.org. So you may become liable if something goes wrong there. To disable this, you have to install the Plug-in “Disable Emojis”
Turn it off (until you really know what you do with all consequences). Settings => General
- Update Services
Turn it off (until you really know what you do with all consequences). Settings => Writing
- E-Mail Publishing
Turn it off (until you really know what you do with all consequences). Settings => Writing
Turn it off (until you really know what you do with all consequences). Settings => Discussion
If you don’t want to disable it, it’s a good idea to enable manual approval.
Don’t enable notification of other weblogs, because that can lead to triggering DOS protections and so others may think you’re trying to attack them.
Disable the “Show Avatar” option. The WordPress Avatars are also fetched from a external site. It may also be a legal issue in some countries, because you are liable for the pictures others provide.
Don’t install and enable every possible plugin. Many have big security wholes that can lead to your site being used in the next fishing e-mail “You have won…” for hosting there viruses.
Disable all default plugins, you don’t need them.
Also plugins can prevent you from updating to a save WordPress version if a bug was found because the Plugin author has not yet released an update.
Regularly (at least once a month) log into your WordPress to look if there are any updates. If you have any updates, make an additional Backup and press start.
- Users and Permissions
Don’t use your Administrative WordPress user to publish!!!!
Don’t name your user Admin, Administrator or root!!!!
If you cannot think about a good name, use an online user name generator.
Use very long and Complex Passwords (at least for your admin user), you don’t have to remember it, if you use e. g. KeePass.
If you have problems remembering your publishing users password just think about your favorite song and write the lyrics with random capitalization or replacements. That way its easy to remember for you but very hard to brute force (length) and impossible for dictionary attacks (randomizations you made). Remember longer is better than random:
- “jsdga”: 0.002970344 seconds to crack using a desktop PC
- “Hell0”: 0.229033208 seconds to crack using a desktop PC
- “StarWars”: On the top 60 passwords list.
- “JUST LETTERS”: 546 years to crack using a desktop PC (But it’s probably guessable 😉 )
Note: Password attacks are normally not performed by desktop PCs instead they are done on rented or hacked high-end servers e. g. Amazon AWS so brute forcing them becomes a lot easier because that systems have a 24/7 uptime, high bandwidth and very fast CPUs (I know GPUs would be better but not many root server have good ones).
Don’t set your website live (.htaccess user name “user” and password “123” is enough) until you have checked all law requirements. You may have to provide your full address and name, depending where you live. As long as your site requires a password to be accessed and even if it’s as simple as “user” and “123” it’s enough to be protected from sue (but you really should contact a lawyer before you believe me).
On many places around the world there is something called “Notice and Take down” which means if you were notified about something wrong you have to correct that (like if someone posted harassment in your comments
Don’t use them. If you use a e. g. tinyurl.com and that domain get sold, hacked or the operators decide to redirect to a landing page with (e. g. pornographic ads) you may become liable for that.
If you really want to use an URL shortener, than use your own. There are products like: Your Own URL Shortener
But don’t use them without knowledge. They may have a “calling home” (or contacting other servers) function that you better disable in certain countries.
Don’t use anything before you have RTFM (read the fucking manual).
Don’t use anything before you trust it (e. g. for liability reasons).
Think about what you’re about to do before you do it.
If your Domain had existed pre Windows 2003 you have to run the following command:
- Open Nodepad and add the text (NO WHITE-SPACES AT THE END):
- dn: CN=94fdebc6-8eeb-4640-80de-ec52b9ca17fa,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=<contoso>,DC=<com>
- changetype: add
- showInAdvancedViewOnly: TRUE
- name: 94fdebc6-8eeb-4640-80de-ec52b9ca17fa
- objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=<contoso>,DC=<com>
- Save the File As EnableSTC.ldf
- Open elevated command prompt, navigate to the place where you saved the file
- Run “ldifde.exe -i -f EnableSTC.ldf
Don’t forget to enable it on your existing DCs as well using:
- Regedit: HKLM\SYSTEM\ControlSetXXX\Services\NTDS\Parameters
- Create “Strict Replication Consistency” as a new DWORD with the value “1”