Evening experts,

We have a number of instances of Event ID 5723 Source: NETLOGON on one of our DC's with Win Svr 2008 installed (see below). Although the pc in the event does not belong to our network and never did. I work for a financial organisation and security is as tight as it can be regarding physical access to our main office so I'm assuming this access attempt was made remotely. Please, can you help me out here on how this could have happened? We don't have wifi on our network so I'm a little baffled here. Please advise.  

Oh My Days, I'm missing the blatantly obvious somewhere, NTFS Permissions and Shared Permissions.

Environment
Centralised File Server (2016) in Azure - EMEA Share
Users across Europe have access to a EMEA Share via a DFS namespace, delivered to users via drive map GPO

All users receive the mapped drive, and all can see the EMEA Share presented by DFS.

Shared Permissions are set for Everyone Full Control, and Administrators Full Control allowing permission restrictions to be governed by NTFS Perms.

However, we want users to only have either 'Read' or 'Modify' NTFS access so security groups have been created accordingly, users added as members and Security Groups added to a target folder under EMEA.

As well as the normal Domain Admins, SYSTEM, CREATOR OWNER Groups under the folder permissions I add the RO and/or MOD security group and users cannot see any contents in the folder. But, If I add either the Authenticated Users, Domain Users, or Local (Server) Users Groups then the users can see contents.

By adding one of the user groups above I'm allowing all users to see the contents which is not what I want, how do I only present the folder, subfolders, files to users in the RO and/or MOD security groups?

I have a domain with an 03 server and 2012 (r2 I think) server.  The 2012 box is GC and has all the roles, but the 2k3 server is still a member of the domain etc - the domain function level is obv 2003.  Glad the 03 box wasn't decommissioned yet as the 2012 box got hit with ransomware.  Unfortunately their usb backup drive was also encrypted and they had no offsite setup.  I need to reload the OS as I can't get SQL running again - cant uninstall it, cant install it, cant repair...its all kind of jacked.  Whats the best process to get it reloaded and back as the GC of the domain? Do I need to assign the roles to the 03 box first, then dcpromo, then reinstall OS and probably with a different name then before for good measure?
Thanks

I have a T70 device I'd like connect up via BOVPN with a XTM2 device (with wireless) at a home office location.  In front of the XTM2 I will have an AT&T uverse router in bridged mode.

I'd like all of the data from one port on the xtm2 to go back and forth over the BOVPN.  I'd like all of the wireless traffic to travel out to the internet.  

Can someone please tell me if this is possible and point me in the right direction for accomplishing this?   I've setup BOVPN's between two devices before but it was moving all traffic between both devices and I need to keep the wireless (home users) traffic off the VPN.

I'll be going to a security position in-person interview soon and wanted to hear what I should expect as far as technical questions?  Before you smart aleck know-it-alls chime in stating that you shouldn't worry, because if you have enough experience you should be fine.  I do have some years in the security realm, but wanted to get your insights.   I'm assuming that some networking questions will also come my way, so throw those in as well.

Cannot install the NDIS Capture Service on my NIC.
It states: "Could not add the requested feature.  The error is: This program is blocked by group policy.  For more info, contact your system adminstrator"

I am the system administrator.  There is not a GPO configured to block this installation.
I've looked for parameters in:
Computer Configuration | Administrative Templates | System | Removable Storage Access
Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restriction
I've run RSOP and there are no settings to this effect.

There are no settings inside either of these.

I've also checked local security and local group policy - there is also nothing defined there.

Anyone have any ideas?

Windows 10 pro, 17134.285

I've uninstalled Webroot Secure Anywhere thinking that might be the problem - no change

Need feedback installing Windows Defender (known as Microsoft Security Essentials) on Server 2012 R2. Have a host running 2016 Standard Server with 2 VM's. One VM is 2016 Server and the other downgraded to 2012 R2 Standard Server by Microsoft. Had a licensing issue and the best option was downgrading to save on downtime. 2nd VM is an exchange server and doesn't have Windows Defender / Msft Sec Essentials) installed.

Questions:
1. What sucess and procedures have others followed to install Windows Defender (known as Microsoft Security Essentials) on Server 2012 R2?
2. Any concerns running on an exchange server?

This article  explains the unsupported steps to install Msft Sec Essentials. Anyone try this procedure and how did it go?

Microsoft Tech Net explains turn on the feature located 'User Interface and Infrastructure / Desktop Experience' which I confrirmed is installed. Can't locate Defender/MSFT Essential anywhere.

Hi!

I've created a TS to make a clean installation of Windows 10 pro 1803.
Everything goes fine, until the TS rises the "Setup Windows and Configuration Manager" step. As you know, at this step the computer reboots. In my case, the TS doesn't continue, the system restart but SCCM client it's not installed, and either the applications.

I've tried to find out any solution to this issue in internet, but no results.

Can anyone help me with this issue???

I have:

Here are the last lines of my smsts.log.


!--------------------------------------------------------------------------------------------!            
Successfully completed the action (Setup Windows and Configuration Manager) with the exit win32 code 0            
"MP server http://siteserver.mydom.com. Ports 80,443. CRL=false."            
Setting authenticator            
Sending StatusMessage            
Setting the authenticator.            
CLibSMSMessageWinHttpTransport::Send: WinHttpOpenRequest - URL: siteserver.mydom.com:80  CCM_POST /ccm_system/request            
Not in SSL            
Request was successful.            
Set a global environment variable _SMSTSLastActionRetCode=0            
Set a global environment variable _SMSTSLastActionSucceeded=true            
Expand a string: %_SMSTSMDataPath%\Logs            
Clear local default environment            
The action (Setup Windows and Configuration Manager) requested a retry            
Reboot to local harddisk            
_OSDGinaIsConfigured variable set to TRUE            
_SMSTSServiceStartType variable set to …

Attached is an SSL scan report (by Qualys) of 2 portals:

a) will such deficiencies flagged by Qualys be flagged by a blackbox pentest as well (tester is using Nessus Tenable)?

b) for the items highlighted in yellow, if we place a WAF & CDN in front of the portal, can the items be remediated?
    I heard F5 WAF could 'block' off SSLv3, TLS1.0 & 1.1 as a way of mitigating but what about the weak ciphers etc?

Have a Checkpoint NIDS as well if this is of any help.


We can obtain a fresh cert if needed  but concerns are:
a) we don't plan to change the A10 loadbalancer (that's used for the 2 portals): understand a number of what's flagged is due to this A10 LB
b) the applications team can't amend the codes within the short term (but we have only a couple months to remediate)
SSLabscanJ2.docx

Has anyone had any luck with removing/recovering from nozelesn ransomware?

a couple of years back, Trendmicro's  .DAT file can be searched using (find or grep command) for
certain malware names.

I'm now using OfficeScan V12.0.1352 & I think the signature file is VsapiNT.sys

I'm trying to track if  globeimposter  ransomware is in our current officescan signature &
the 2 links below seems to say that TM has documented them quite some time ago:
 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-4th-2017-globeimposter-notpetya-and-more/
 https://www.trendmicro.com/vinfo/in/security/news/cybercrime-and-digital-threats/ransomware-recap-crypshed-spoofs-amazon-in-ransomware-campaign

but when I searched for "glob"  (I suppose FakeGlobal as it's known to Trendmicro) would have it
listed in the latest VsapiNT.sys signature but it's not there:
appreciate steps on how to list the malwares covered by Officescan's signature file:

C:\foren>find/i "glob" *.sys |more

---------- TMPREFLT.SYS

---------- TMXPFLT.SYS

---------- VSAPINT.SYS
GlobalAddAtomA
GlobalAddAtomW
GlobalAlloc
GlobalCompact
GlobalDeleteAtom
GlobalFindAtomA
GlobalFindAtomW
GlobalFix
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalGetAtomNameW
GlobalHandle
GlobalLock
GlobalMemoryStatus
GlobalReAlloc
GlobalSize
GlobalUnWire
GlobalUnfix
GlobalUnlock
GlobalWire
MakeCriticalSectionGlobal
JungUm Global
Corel Global Macro(GMS)
GLOBAL:
GLOBALNE:
GLOBALDOTPROMPT
GLOBAL
GLOBAL.DOT:
GLOBAL:
ExecuteGlobal
Global