We help IT Professionals succeed at work.

Security

26K

Solutions

25K

Contributors

Security is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things -– and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Hello I have enable audit policies in our domain and would like to read the Message content of the security log and grab the New Logon and Network Information fields

I am executing the following script

Get-WinEvent -Computername DomainController01 -FilterHastTable @{logname='security';ProviderName='Microsoft-Windows-Security-Auditing';id=4624;StartTime="3/27/20";EndTime=3/28/20"}

or by using Get-EventLog

Open in new window


See screenshot, how do i grab the individual properties or some properties from the Message section ?

Thanks for your help,
Screen-Shot-2020-03-27-at-5.54.44-PM.png
0
If you have any responsibilities for managing the ICT budget for your organisations, can you share any examples of lessons learned on areas you may have identified or any honest 'mistakes made' where your company was perhaps wasting money.

We have a risk/audit team who do a lot of good focus on cyber security, data protection etc, but some other issues have come to light in recent years where money was being wasted due to poor asset management/monitoring processes (i.e. smartphones that were not even being used by the person given them), which got me thinking what other common mistakes could be being made which may be worth delving further into as part of their cycle of reviews.

Not overly sure what category to add this to so gone with a broad area as I know a lot of participants in these areas often seem to have senior titles in their profiles so may be involved in this type of area or report directly to others who do.
0
Looking for comments on the overall security of FireFox Send (send.firefox.com).  My understanding is that all of the security tasks regarding the file (encryption, link generation, decryption) take place on the client side.  However, also received some sage advice that what a provider 'says' and what they 'do' (federal FISA warrant) can be two different things.  

I've done some basic searching online; have found some tutorials and an explanation by Mozilla on how the system works.  Really looking for some independent, third party vetting results.  I have looked on Git Hub, but didn't see anything that conclusively stated FF Send meets standard xxxxx or is xyz compliant, etc.

Is there any documentation out there verifying Mozilla's security claims and does anybody have any concerns with using this product when sharing PII (e.g. name, address, health status, income, etc)?
0
I'm trying to understand what a digital certificate is and why I need it to sign a document.  I know in the following instructions I can create my own digital certificate for free, but when and how do I use a digital certificate to sign something?  What is a digital signature in comparison to taking a picture of my signature and pasting it.  

Thanks.
0
Hi All,

How to prepare runbook for Security operation centre?Is there any sites that can be referred to

Thanks,
0
I need to edit my HOSTS file and it says only an administrator can do this.
when I go into security settings the key settings are grayed out!
I am the administrator. it's my laptop


This is Windows 7 BTW,
0
CIS hardening benchmarks for Win 2016 (pg 534) & 2019 (pg 463 & 690)
 both indicated to enable EMET : attached.

However, link below indicates it's been EOL so does it
still make sense to install/enable EMET or there's a newer
version of EMET?

https://support.microsoft.com/en-sg/help/2458544/the-enhanced-mitigation-experience-toolkit 

Is ASLR & DEP also deprecated  as well?
CIS_Microsoft_Windows_Server_2016_RT.pdf
CIS_Microsoft_Windows_Server_2019_RT.pdf
0
I have a security group A with 144 total members, i need to move half or 72 members to group B. Is there a way to do this via powershell?
0
If I need to protect PII information, has Dropbox progressed to the point where the community feels safe using them?  Where do I get specific data on the actual standards they use?
0
See attached image for general idea about the structure...

I have a c# website built on IIS on SERVER01, and the website webform has the function as attached in image 1

public static string[,] ServiceInstalledList(string machineName)
        { 
            // get list of Windows services
            ServiceController[] services = ServiceController.GetServices(machineName);
            string[,] serviceList = new string[services.Length, 5]; 
            int i=0;
            // try to find service name
            foreach (ServiceController service in services)
            {
                serviceList[i, 0] = service.ServiceName;
                serviceList[i, 1] = service.Status.ToString();
                serviceList[i, 2] = service.DisplayName.ToString();
                serviceList[i, 3] = service.MachineName.ToString();
                serviceList[i, 4] = service.StartType.ToString();
                i = i + 1;
                // if (service.ServiceName == serviceName)
                //    return true; 
            } 
            return serviceList;
        }

Open in new window



It is working as expected when the "machineName" is local "SERVER01", it shows the list services on the server.

But when I change the machineName to a remote server (server host name or server IP address) in the same network (10.0.0.0/24),  I got the error attached in the send image.

The error shows the website can reach to the server and can see it, but it does not have the access only. It is something related to security, passwords ...etc.



[Win32Exception (0x80004005): Access is denied]

[InvalidOperationException: Cannot open Service Control Manager on computer 'SERVER02'. This operation might require other privileges.]
   System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String machineName, Int32 serviceControlManaqerAccess) +51781
   System.ServiceProcess.ServiceController.GetServicesOfType(String machineName, Int32 serviceType) +183

Open in new window

123.PNG
122.PNG
124.PNG
0
I have a weird issue with my AD. We have a mix of 2008R2 and 2016 AD servers. We have a global security group for VPN users. If you are not part of that group VPN access is denied. For some reason users get removed from that global security group. It is different users effected. I checked my default domain policy and there are no restricted access. What could cause this behavior?
0
I run Untangle as a NGFW and have the OpenVPN component on it.  I also set up a client on it for my iPhone 7 and have OpenVPN on that as well.  
Downloaded the files from UT's OpenVPN to my laptop.  How do I get the files from there to the iPhone and configured?

Thanks!

--Ben
0
Please look at the attached picture.

I would like to create a PowerShell script, i can run on a server to do the following things:

1 : Get all events with ID 4625
2 : Count the unique user and show it in a list (forexample the last 24 hours) that did the most failed login attemps.
 - So if the user "JJE" tried to sign in 9993 times and user "EAN" tried 1493 times it would list somthing like this

JJE : 9993
EAN : 1493

^ Hope this makes sense

I have tried some powershell my self. but i am stuck (The script is not finished - and somthing is properly missing)

Get-EventLog -LogName security | Where-Object { $_.InstanceID -eq "4625" }| Select-Object @{Name="UserName";Expression={ $_.ReplacementStrings[1]}}



Can you help me further?
Event4625.png
0
Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
0
I have an AD account that locks out within a minute every time I unlock it. When I check the security logs on the domain controller, I get a "caller Computer Name" in the lockout event that references a computer not on our network, that does not fall within our naming convention- for example "FreeRDP" or "remmina". I use one computer at the firm, and I have had this happen when the computer is powered off. I cannot get an IP address from the hostnames it shows- Any idea how to narrow this down and resolve it, or do I have to change the account name in AD so I can work?
0
Hi all,
Is it possible to disable file tranfer in Screen Sharing using Screen Sharing application on MacOS ? The bottom line that  I don't want remote user to be able to copy/send file between each computers?  We are using MacOS 10.14.x
Any assistance is appreciated.
0
Trend Micro has an update. It runs into Spybot and Malwarebtes and wants them removed. I uninstalled both but when I go back to programs Malwarebytes is still there. Our ISP tech support which gives us Trend Micro as a part of our internet plan can not help. I've restarted, rebooted, etc. and Malware remains in the program list, I successfully uninstall it based on the message on the screen but Trand Micro still finds it and wants it removed.
0
I currently have a Citrix NetScaler VPX 200 and I would like to enable 2 factor authentication. I'm new to setting up 2FA and any advice would greatly be appreciated.

The goal is to have the user sign into the Netscaler web portal and authenticate with their domain (LDAP) credentials. Upon successful login, the user is required to enter a passcode/one time password that they would receive from an SMS message or ideally a code using an authenticator app (Microsoft or Google authentication app for example.) Once the user enters the one time password, the user can access the VPN or ICA portal.

When researching what is evolved to enable this, it looks like a RADIUS server is required. I do have a Windows Server 2016 RADIUS server, but it doesn't seem to support what I'm looking for, unless Microsoft's terminology is different. I've opened a case with Citrix, but the only thing provide is links to setup RADIUS on the gateway, which I already found before opening the case.

Has anyone been able to accomplish this? Thank you for your time.
0
Dear all

I would like to disable the 2factor authentication temporarily on the Horizon 7.0 installation. We have 2 connection server - one with 2factor authentication one without.

How can I switch the connection server temporarily in the security server so that 2factor authentication is not needed?

Thank you very much for your help.

Patrick
0
I'm looking for Windows Eventlog (in Active Directory DC) related "pass-the-ticket"(Golden/Silver Ticket) for testing my hunter script.
Where can I find out or get example evtx file ?
0
Got the following high risk penetration test finding on a platform which we
develop on (from a vendor called K2).  Vendor is rather inflexible in fixing
such issues & have to wait for ages for next release.


Presume any ONE of the 3 mitigations below suffice.  How do we go about
implementing mitigation #1 & #2 below?   Web server is IIS.

If more details are needed, can sanitize the screens & attach later.


Description:
=========
The application allows interference with the way it processes sequences of HTTP requests that are received from one or more users.

The attacker can cause part of the front-end request to be interpreted by the back-end server as the start of the next request. It is effectively prepended to the next request, and so can interfere with the way the application processes that request.

It was possible to smuggle an HTTP request to the server by obfuscating Transfer-Encoding header. When the front-end/proxy server encounters obfuscated transfer-Encoding header, it uses Content-Length header to process the request. When the same HTTP request is forwarded to the backend/application server, Transfer-Encoding header is interpreted, thus splitting the smuggled attack request from the original request. In such a case, the attack request can interfere with the processing of next request which might be sent by any end user during the time of attack. During our testing, it was possible to receive a response from the server causing an open …
0
Dear Experts
We are implementing exchange server enterprise 2019 on-premise and for security and barracuda email security appliance (at DMZ)
Please help on which all the ports to be opened at firewall and as well between email security appliance and email servers, please help on following
1.      From firewall to Barracuda email security appliance and from email security appliance to firewall
2.      From barracuda email security on premise appliance to on premise email server
3.      From on premise email server to barracuda email security appliance
4.      From email server to internet
please help on the above, thanks in advance
0
Hi All,

I am currently going to be upgrading a client from SEP to Bitdefender.   My question is they are currently running Symantec Endpoint Protection Small Business Edition.   My question is has anyone worked with this product and can I simply delete the installed agent machines from the portal and if so will this automatically uninstall the application from the Windows 10 and Mac machines or do I have to reboot them for the uninstall to complete?  Any assistance is appreciated.
0
One of the CIS Top 20 controls suggests maintaining an 'Inventory of Administrative Accounts'. Does Active Directory not do this for you though to an extent with the default admin group members such as domain admins which you could query at any point in time?

https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/

How do you collect the data to populate such an inventory and what specific groups memberships go into it? In what format do you maintain the inventory and is it dynamically populated or a manual process to keep it up to date? What level do you go down to, e.g. domain, OS, applications/database, applications etc? I appreciate in theory every device/server/database/mailbox could have a differing set of administrators although in practice there would be a lot of commonality across the environment.

Another it suggests in the CIS Top 20 is 'Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.'. In your experience of doing pen tests/vulnerability assessments, is there any common types of accounts that are common across systems joined to the network that may use the same passwords? I know how such tests take place but having some clue on where passwords are often replicated across systems would be interesting.
0
Can any EErs help assist what Sonic OS is available in the SOHO 250? I've used the TZ 300 and 350 models and have a client that could use the SOHO 250. I need it to configure ports, NAT, device IP's, configure firewall rules. I've not been able to get this question answers from Dell and have not called Sonic yet.

Are the Sonic Os's the same on the SOHO 250 and TZ 350? If so I can use the SOHO 250 for my client on a smaller budget. If not I'll have to upgrade to the TZ serious.
0

Security

26K

Solutions

25K

Contributors

Security is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things -– and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.