With thanks to the 50 staff from across the University for attending please see below the links to the videos and PowerPoints of the day!
Direct link to Playlist – https://www.youtube.com/watch?list=PLRxbdlgJzwyjAf820T0u4GpP0E01a9LEX&v=u-GVJ_0VuRM
Slides as PowerPoint
1 Intro (4.3 MiB, 17 hits)
2 MDT (85.2 MiB, 27 hits)
3 PowerShell (27.5 MiB, 12 hits)
4 PRTG Network Monitor (47.5 MiB, 12 hits)
5 OpenVAS (32.9 MiB, 12 hits)
6 WSUS and Chocolatey (60.3 MiB, 9 hits)
7 NPS and VLANs (10.7 MiB, 8 hits)
Slides as PDF
1 Intro (2.0 MiB, 11 hits)
2 MDT (2.2 MiB, 11 hits)
3 PowerShell (1.8 MiB, 10 hits)
4 PRTG Network Monitor (3.2 MiB, 13 hits)
5 OpenVAS (2.3 MiB, 16 hits)
6 WSUS and Chocolatey (2.9 MiB, 14 hits)
7 NPS and VLANs (1.4 MiB, 13 hits)
Stay tuned over the coming days for the scripts that are mentioned through the video which will be linked to from this post.
One of the often forgotten about features of gpresult is that it can output reports as HTML format (in a similar format to Group Policy Modelling) as well as to the command line – simply use the /h switch followed by a path. This includes much more useful data including how long it took to apply various aspects of the policy.
In the example below we can see that Group Policy Infrastructure took much longer to apply than expected (normally only a second or two), you can then dig into the cause by clicking the View Log link to the right which pops out even more detail to dig through. In this case the cause of the slow policy application appeared to be old ADM files (Windows XP era) being included with the policy; deleting the files resolved the issue.
In my environment all of our network connected devices are configured to respond to PINGs; this mainly comes about from using PRTG Network Monitor to confirm that devices and services are up even in the most simple of fashions. The same also applies to client PCs which through Group Policy are configured to reply to PING. Thus to save OpenVAS some work while doing it’s scans I’ve got a custom scan configured (which will be used in later blog posts) that will only scan hosts which reply to PING.
Have a look at the screenshot sequence below to see how to configure such a scan.
A little bit of fun today with Milestone XProtect (in our case the express version) today; with the goal of improving our documentation I wanted to somehow obtain a list of all of the hardware devices (and to some degree the cameras) including there names, MAC addresses and IP addresses from our XProtect server.
Lone behold the configuration.xml file typically stored at “C:\ProgramData\Milestone\Milestone Surveillance\configuration.xml” held just the information I wanted; a little bit of PowerShell later and I had CSVs with the information in a human readable form.
To do the same on your server follow the guide using the Export-MilestoneConfig.ps1 script show below.
If you are running an HPE Aruba (formally ProCurve) switch you may come across cases where your switch (in the example above a 5400R zl2) has multiple IP Addresses/VLANs and you need it to talk to another service (in my case syslog and sFlow receivers) on a set interface.
When this occurs you can use the ip source-interface command (make sure you are in config mode first) to define the IP Address or VLAN that you want the switch to talk out on. In my case VLAN2 which is used as the management network for the network switches (VLAN1 being the default network that switches use if multiple addresses are configured).
Not the first time I’ve run into this issue and probably won’t be the last! While building a new Windows Server 2016 (Full) Microsoft Deployment Toolkit server when attempting to run the ‘Update Deployment Share’ wizard I was getting the following error message.
Unable to mount the WIM, so the update process cannot continue.
The solution is simple; if you are running this machine on Hyper-V (presumably other Hypervisors as well) you will need to shutdown the VM, disable Secure Boot (on the VM only) and then power it back on. The next time you run the wizard it will complete as normal.
The error message in full context for reference.
=== Making sure the deployment share has the latest x86 tools ===
=== Making sure the deployment share has the latest x64 tools ===
=== Processing LiteTouchPE (x64) boot image ===
Building requested boot image profile.
Determining if any changes have been made in the boot image configuration.
No existing boot image profile found for platform x64 so a new image will be created.
Calculating hashes for requested content.
Changes have been made, boot image will be updated.
Windows PE WIM C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim will be used.
Unable to mount the WIM, so the update process cannot continue.
=== Completed processing platform x64 ===
=== Processing complete ===
Following on from more work with OpenVAS and after resolving issues around PHP/MySQL the next largest priority was flagged as issues with the Remote Desktop Server (this applies if the server is being used as a Session Host or is just running Windows Server/Client). Here are two pointers in the right direction to get these port 3389 issues resolved!
SSL/TLS: Report Weak Cipher Suites and SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
To resolve this issue I would suggest you look at the free IISCrypto tool (https://www.nartac.com/Products/IISCrypto) which (after a reboot) disables weak cipher suites and ensures that the correct key exchange mechanisms are used on your servers and clients. Note this software doesn’t just apply to IIS (Internet Information Services) but also Remote Desktop and any other Microsoft technology that makes use of schannel.
Although it takes a little while longer you can also examine the registry (see https://www.nartac.com/Support/IISCrypto/FAQ) and deploy a Group Policy to apply the same settings to your machines.
If you can I would suggest you opt for the PCI 3.1 template (which also culls TLS1.0 support) however as I found out you may have to resort to the ‘Best Practices’ which keeps TLS1.0 enabled and in turn allows things like 802.1x EAPOL and older versions of Microsoft SQL Server to work. Really is worth doing extensive testing with all of your applications (network services included!) before you go and roll this tool out to your full environment!
SSL/TLS: Certificate Signed Using A Weak Signature Algorithm
In this case we are looking at the self signed Remote Desktop Protocol certificate which just so happens to be SHA1. To resolve this issue have a look at this blog post – https://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo which covers in great detail how to use an Active Directory Certificate Services Server to issue SHA256 certificates to your machines to use with Remote Desktop.
Following on from some recent OpenVAS testing and in turn discovering that some of our PHP versions were sorely out of date I’ve set about to patch and document all of the installations. In turn we have a simple guide on how to update PHP security releases!
Please note – this guide is aimed at really simple single server instances of PHP that are being used by Microsoft IIS, be sure to test the upgrade outside of your production environment before deploying it.
For this guide you will also need this link – http://windows.php.net which contains the downloads for PHP on Windows.
- If you encounter an error message during the overwrite of the existing PHP install consider stopping the IIS server service first and then restarting it with the following commands from an elevated command/PowerShell prompt.
- net stop WAS
- net start W3SVC
Following on from the previous post (A Windows SysAdmin installs and uses OpenVAS – End to end guide – Simple Beginnings) in this post we’ll be using PowerShell, OpenVAS and the OMP (Open Management Protocol from Greenbone) to create a Target (a machine/device) to conduct some Pen Testing against, create a Task to scan the target and then generate a report.
The final step is quite possibly the most important though; it’s worth pointing out (hopefully the obvious) that you could have the most amazing Pen Testing software package on the planet but unless you then absorb the reports and take action to Mitigate/Resolve/Eliminate the risks identified it’s all just a horrible waste of CPU cycles.
A quick note – this guide is shown as only a small example of how you can get started with OpenVAS, stay tuned for more in depth guides!
In this first stage we will download the OMP client for Windows (from http://docs.greenbone.net/GSM-Manual/gos-4/en/tools.html#omp), get it into the right place on our computer as well as create a omp.config file (you can download an example from below) which will provide settings and credentials to the OMP client.
Example OMP File (hosted on GitHub – https://gist.github.com/jamesfed/4ed9be7de2adb83d1d442cc06ea1dbeb).
In addition to follow through with this guide you should download the .ps1 file below which contains the PowerShell code for the steps shown in the screenshots.
OpenVAS-Simple-Example.ps1 (hosted on GitHub – https://gist.github.com/jamesfed/6a5c6634abc12c180f125e25c2764d1f).
Creating a Target
Creating and kicking off a Task
Exporting the Report
Reading the Report
To discover more about the omp.exe tool take a look here – http://docs.greenbone.net/GSM-Manual/gos-4/en/omp.html#access-with-omp.
In the next post of this series I’ll be covering how we can take these simple beginnings and start to build something more in depth through OMP and PowerShell.
As anyone who has been keeping tabs on my work will know I’ve recently started making use of GitHub (https://github.com/jamesfed) but was quite surprised today when logging in and I received the message below.
Your account has been flagged.
Because of that, your profile is hidden from the public. If you believe this is a mistake, contact support to have your account status reviewed.
In contacting support I received an email less than a few minutes later stating that this was an error by their spam detection system and that the account was reinstated.