[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More







Security is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things -– and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Share tech news, updates, or what's on your mind.

Sign up to Post

Facing a very strange problem from yesterday, suddenly loss connectivity with FTP site with no apparent changes to the PCs and or Firewall settings. Well the strange part is that I can successfully access and upload files from home. First thought the error is on the hosting side and submit a remedy ticket but was told that the possibility is very low since I am able to access the FTP site from home. I also contacted the ISP (Comcast) and the support tech reviewed the Business Gateway Router settings which were also deemed OK...I also did uninstall Norton Security thinking it might be the culprit but the issue remain the same i.e. not able to connect/access FTP site from Office/Work network. Any help and guidance will be appreciated.
Powerful Yet Easy-to-Use Network Monitoring
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Evening experts,

We have a number of instances of Event ID 5723 Source: NETLOGON on one of our DC's with Win Svr 2008 installed (see below). Although the pc in the event does not belong to our network and never did. I work for a financial organisation and security is as tight as it can be regarding physical access to our main office so I'm assuming this access attempt was made remotely. Please, can you help me out here on how this could have happened? We don't have wifi on our network so I'm a little baffled here. Please advise.  

event id
Hi Experts,

Is it possible to output a report into a csv file that shows the log on and log off timestamp history information of a Windows Active Directory user?

The report is only needed to be filtered for 1 specific AD user and the key information I would like in the output is:
•      Username
•      Login date/ time
•      Logout date / time,
•      successful/failed logon status

I believe this information would need to be extracted from the security event logs on each domain controller and had in mind a script such as a PowerShell script (ideally a script that looks at all the DC’s in the domain would be good)

Oh My Days, I'm missing the blatantly obvious somewhere, NTFS Permissions and Shared Permissions.

Centralised File Server (2016) in Azure - EMEA Share
Users across Europe have access to a EMEA Share via a DFS namespace, delivered to users via drive map GPO

All users receive the mapped drive, and all can see the EMEA Share presented by DFS.

Shared Permissions are set for Everyone Full Control, and Administrators Full Control allowing permission restrictions to be governed by NTFS Perms.

However, we want users to only have either 'Read' or 'Modify' NTFS access so security groups have been created accordingly, users added as members and Security Groups added to a target folder under EMEA.

As well as the normal Domain Admins, SYSTEM, CREATOR OWNER Groups under the folder permissions I add the RO and/or MOD security group and users cannot see any contents in the folder. But, If I add either the Authenticated Users, Domain Users, or Local (Server) Users Groups then the users can see contents.

By adding one of the user groups above I'm allowing all users to see the contents which is not what I want, how do I only present the folder, subfolders, files to users in the RO and/or MOD security groups?
Hi Experts,

since yesterday we have some strange issues with WIN10 machines.
When the user logs in, the screen is black and you cannot click anything.
We have checked the monitors and cables, all ok.
Do you have any infos about this ?

When I check the services from this machine, I can see a lot of services are in starting modus.
See the screenshot.

starting services
This article describes the Email relay concepts and the possible road blocks and solutions to certain email security scenarios.
Kindly help with the short term as well as long term solution for the following.

Company A (XYZ.com)has Exchange 2010 setup and has got an O365 tenant, however, the mailboxes are not migrated yet. The external gateway is EOP.
Company B has Exchange 2010 setup (LMN.com) and has a different O365 tenant. The emails are not yet migrated to cloud. The Email security gateway provider connecting to internet is different for both.

The requirement is that company B employees should be able to send emails using the SMTP @XYZ.com available to company A.

Please help with a short-term solution as the end goal is to merge both the organisations.
I have a domain with an 03 server and 2012 (r2 I think) server.  The 2012 box is GC and has all the roles, but the 2k3 server is still a member of the domain etc - the domain function level is obv 2003.  Glad the 03 box wasn't decommissioned yet as the 2012 box got hit with ransomware.  Unfortunately their usb backup drive was also encrypted and they had no offsite setup.  I need to reload the OS as I can't get SQL running again - cant uninstall it, cant install it, cant repair...its all kind of jacked.  Whats the best process to get it reloaded and back as the GC of the domain? Do I need to assign the roles to the 03 box first, then dcpromo, then reinstall OS and probably with a different name then before for good measure?
Hi Team,

This could be a very basic question to ask, but I wanted to be sure before making any changes.

Security Audit recommends to disable DNS Recursion from both internal AD Integrated DNS Servers. I checked this option and found it stating Disable recursion (also disables forwarders).

My understanding on how domain joined workstations / servers gets Internet DNS resolution is via Forwarders configured on DNS Servers. So, if I disable DNS Recursion, how are domain joined machines getting Public DNS resolution?
I have a T70 device I'd like connect up via BOVPN with a XTM2 device (with wireless) at a home office location.  In front of the XTM2 I will have an AT&T uverse router in bridged mode.

I'd like all of the data from one port on the xtm2 to go back and forth over the BOVPN.  I'd like all of the wireless traffic to travel out to the internet.  

Can someone please tell me if this is possible and point me in the right direction for accomplishing this?   I've setup BOVPN's between two devices before but it was moving all traffic between both devices and I need to keep the wireless (home users) traffic off the VPN.
OWASP: Threats Fundamentals
LVL 12
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

I'll be going to a security position in-person interview soon and wanted to hear what I should expect as far as technical questions?  Before you smart aleck know-it-alls chime in stating that you shouldn't worry, because if you have enough experience you should be fine.  I do have some years in the security realm, but wanted to get your insights.   I'm assuming that some networking questions will also come my way, so throw those in as well.
Windows 7 Pro x64 SP1; found numerous entries for the following in the Security log:

Cryptographic operation.Subject:Security ID:S-1-5-20Account Name:CARMEL-LT-PC$Account Domain:WORKGROUPLogon ID:0x3e4Cryptographic Parameters:Provider Name:Microsoft Software Key Storage ProviderAlgorithm Name:Not Available.Key Name:{F4A50D80-D19A-4DD7-A13C-ECB5788EBBA1}Key Type:Machine key.Cryptographic Operation:Operation:Open Key.Return Code:0x80090010

This computer is being managed with ConnectWise Automate v12.

Can anyone spread some light on this error?

Thanks in advance.
Cannot install the NDIS Capture Service on my NIC.
It states: "Could not add the requested feature.  The error is: This program is blocked by group policy.  For more info, contact your system adminstrator"

I am the system administrator.  There is not a GPO configured to block this installation.
I've looked for parameters in:
Computer Configuration | Administrative Templates | System | Removable Storage Access
Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restriction
I've run RSOP and there are no settings to this effect.

There are no settings inside either of these.

I've also checked local security and local group policy - there is also nothing defined there.

Anyone have any ideas?

Windows 10 pro, 17134.285

I've uninstalled Webroot Secure Anywhere thinking that might be the problem - no change
how can  I create a immediate report when a virus ist found in Kaspersky security center 10
Artificial Intelligence
We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.
LVL 21

Expert Comment

by:Andrew Leniart
Comment Utility
Great article that explains the importance of not just relying on definitions based security solutions. Thanks for writing this. Interesting read!

Hi Experts,

We recently had one of our employees click on a link in a e-mail that took him to a fake site where he entered his credentials and his e-mail account was compromised.
Management hired a cyber security company who did scans on the systems, his e-mails and also other things on the web.
We have managed symantec Endpoint protection, intrustion, malware which is up to date and active.  
We also didn't have anything on the back end set up (per management) to protect our e-mail against spam, malware, all e-mails were to come through.
The cyber people are telling management that Symantec only gets 20% of intrusions, viruses and malware.  (I don't believe that, I have a e-mail box flooded with all the intrustions Symantec is getting and not one virus in 4 years which it caught).
Management from their advice is most likely going to force me to uninstall Symantec from all of our workstations and servers and deploy Carbon Black?

Can anyone tell me if this sounds as insane as it I think it is?  Anyone familiar with Carbon Black?  

Please help, I don't trust this at all and would love to be proven right or wrong.  I think this cyber company might be banking on management fears from my co-workers mistake.

Thank you
Need feedback installing Windows Defender (known as Microsoft Security Essentials) on Server 2012 R2. Have a host running 2016 Standard Server with 2 VM's. One VM is 2016 Server and the other downgraded to 2012 R2 Standard Server by Microsoft. Had a licensing issue and the best option was downgrading to save on downtime. 2nd VM is an exchange server and doesn't have Windows Defender / Msft Sec Essentials) installed.

1. What sucess and procedures have others followed to install Windows Defender (known as Microsoft Security Essentials) on Server 2012 R2?
2. Any concerns running on an exchange server?

This article  explains the unsupported steps to install Msft Sec Essentials. Anyone try this procedure and how did it go?

Microsoft Tech Net explains turn on the feature located 'User Interface and Infrastructure / Desktop Experience' which I confrirmed is installed. Can't locate Defender/MSFT Essential anywhere.
Desktop Experience
I had an interview and was asked a couple of questions which I'm not 100% I asked correctly or might have been what the interviewer was looking for and I wanted to know how you experts would have answered them?

1.  What is broadcast/unicast and I forget the other option?

2.  How do you secure a switch?

3.  From a security point of view, what occurs at layers 4-7?

I've created a TS to make a clean installation of Windows 10 pro 1803.
Everything goes fine, until the TS rises the "Setup Windows and Configuration Manager" step. As you know, at this step the computer reboots. In my case, the TS doesn't continue, the system restart but SCCM client it's not installed, and either the applications.

I've tried to find out any solution to this issue in internet, but no results.

Can anyone help me with this issue???

I have:
SCCM version 1806
SCCM Client 5.00.8692.1008

Here are the last lines of my smsts.log.

Successfully completed the action (Setup Windows and Configuration Manager) with the exit win32 code 0            
"MP server http://siteserver.mydom.com. Ports 80,443. CRL=false."            
Setting authenticator            
Sending StatusMessage            
Setting the authenticator.            
CLibSMSMessageWinHttpTransport::Send: WinHttpOpenRequest - URL: siteserver.mydom.com:80  CCM_POST /ccm_system/request            
Not in SSL            
Request was successful.            
Set a global environment variable _SMSTSLastActionRetCode=0            
Set a global environment variable _SMSTSLastActionSucceeded=true            
Expand a string: %_SMSTSMDataPath%\Logs            
Clear local default environment            
The action (Setup Windows and Configuration Manager) requested a retry            
Reboot to local harddisk            
_OSDGinaIsConfigured variable set to TRUE            
_SMSTSServiceStartType variable set to …
Protecting & Securing Your Critical Data
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Attached is an SSL scan report (by Qualys) of 2 portals:

a) will such deficiencies flagged by Qualys be flagged by a blackbox pentest as well (tester is using Nessus Tenable)?

b) for the items highlighted in yellow, if we place a WAF & CDN in front of the portal, can the items be remediated?
    I heard F5 WAF could 'block' off SSLv3, TLS1.0 & 1.1 as a way of mitigating but what about the weak ciphers etc?

Have a Checkpoint NIDS as well if this is of any help.

We can obtain a fresh cert if needed  but concerns are:
a) we don't plan to change the A10 loadbalancer (that's used for the 2 portals): understand a number of what's flagged is due to this A10 LB
b) the applications team can't amend the codes within the short term (but we have only a couple months to remediate)
One of the monthly IT Security metrics in my previous place is
to show  # of 'High' DDoS alerts for the month (leaving out the
Med & Low ones), extracted from Arbor Peakflow of cleanpipe.

Attached is how one such extraction looks like: basically we'll
count the # of 'High' alerts.

In new place, question was raised how this data can be useful
as IT Security metric.

My guess is Audit wants to see a trend (of 6-12 months) of the
# of 'High' alerts for DDoS: if it's always about the same, no
alarm but, say for a particular month, it triples, it's a concern?

Anyone has any clue how this data (or any other Peakflows'
data) could be useful for presentation to serve as IT Security

Anyone has any Application DDoS security metrics that could
be useful as IT Security metrics?
Has anyone had any luck with removing/recovering from nozelesn ransomware?
I'm trying to establish if my Officescan  has Officescan's Ransomware protection below :

Ransomware Protection Enhancements in OfficeScan 11.0 SP1 Critical Patch 6054
Detection details of the OSCE 11.0 SP1 Critical Patch 6054 Ransomware Prevention Summary widget

Above 2 lines are extracted from link below:

Last screen in the attached shows  Scheduled Scan is disabled : is it a good idea to enable it
& I thought to have it enabled either during lunch hours (for users who bring home their
laptops) or in the night (for users who leave their PCs/laptops powered on in the office at night):
I've heard many recommendations that on-demand scheduled scan is quite essential too.
Just that it's hard to determine which laptops are being brought home

attachment is what's shown on my laptop
a couple of years back, Trendmicro's  .DAT file can be searched using (find or grep command) for
certain malware names.

I'm now using OfficeScan V12.0.1352 & I think the signature file is VsapiNT.sys

I'm trying to track if  globeimposter  ransomware is in our current officescan signature &
the 2 links below seems to say that TM has documented them quite some time ago:

but when I searched for "glob"  (I suppose FakeGlobal as it's known to Trendmicro) would have it
listed in the latest VsapiNT.sys signature but it's not there:
appreciate steps on how to list the malwares covered by Officescan's signature file:

C:\foren>find/i "glob" *.sys |more

---------- TMPREFLT.SYS

---------- TMXPFLT.SYS

---------- VSAPINT.SYS
JungUm Global
Corel Global Macro(GMS)
I have a wildcard security certificate i.e. *.domainame.com which is currently on a server.
i am moving my website on Azure platfrom. when i ran the PCI scan on a test.domainname.com site on Azure, the PCI scan reported failuer saying

Title: SSL Certificate with Wrong Hostname

Synopsis: The SSL certificate for this service is for a different host.

Impact: The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Resolution: Purchase or generate a proper certificate for this service.

Data Received: The identities known by SecurityMetrics are : waws-prod-XXX-XXX.api.azurewebsites.windows.net

The Common Name in the certificate is : waws-prod-XXX-XXX.publish.azurewebsites.windows.net

The Subject Alternate Names in the certificate are : waws-prod-cw1-005.ftp.azurewebsites.windows.net

Can any one help there. The certificate i have is a wildcard certificate and the test.domainname.com runs ok on browser






Security is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things -– and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.