Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering.

Slides:



Advertisements
Similar presentations
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Advertisements

Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Module 1: Installing Active Directory Domain Services
Smart Card Single Sign On with Access Gateway Enterprise Edition
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Group 11 CSE 8343 Group 1 Windows 2000 Domain Security & Authentication.
Bezpečnost Windows pro pokročilé: uživatelské účty GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
What would a real hacker do to your AD GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | PowerShell.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
Passwords Everywhere GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP:
What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
SQL Server Security By Mattias Lind For PASS Security VC.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Ing. Ondřej Ševeček | | | MCM:Directory | MVP:Security | MCSE:Windows2012 | MCSE:SharePoint | MCT | Certified Ethical.
Network Security. Need for security  Connecting to the Internet is quickly becoming a necessity for companies/ individuals  Understand the security.
Bezpečnost Windows pro pokročilé: přístup do sítě GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Bezpečnost Windows pro pokročilé: zajímavosti a UAC GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
Module 1: Implementing Active Directory ® Domain Services.
11 WORKING WITH PRINTERS Chapter 10. Chapter 10: WORKING WITH PRINTERS2 THE WINDOWS SERVER 2003 PRINTER MODEL  Locally attached printers Printers that.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
PowerShell for Developers GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services |
L Identify the “out-of-the-box” audit settings l Identify recommended minimum audit settings l Configure security event log settings to meet recommendations.
Bezpečnost Windows pro pokročilé: protokoly a sledování přihlášení GOPAS: | | Ing. Ondřej Ševeček.
AuthenticationService Application DelegationKerberos.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Passwords.
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official.
Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security.
1 BCS 4 th Semester. Step 1: Download SQL Server 2005 Express Edition Version Feature SQL Server 2005 Express Edition SP1 SQL Server 2005 Express Edition.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | Enterprise certification.
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
Ondřej Ševeček | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official.
Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 | What would a real hacker do to your AD.
#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.
What is new in security in Windows 2012 or Dynamic Access Control
Enabling Secure Internet Access with TMG
Module Overview Installing and Configuring a Network Policy Server
Passwords Everywhere Ing. Ondřej Ševeček | GOPAS a.s. |
Client Interactions Ing. Ondřej Ševeček | GOPAS a.s. |
Microsoft Ignite /21/2018 5:56 PM
SharePoint and IIS core integration
GOPAS TechEd 2012 Kerberos Delegation
Presentation transcript:

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering and Searching with XPath and PowerShell SCOM ACS bohužel nebude, zato bude víc ostatního

Auditing (2000+)

Granular auditing (2008/Vista+)

Event viewer

Event viewer and XML

XPath  XML "searching" language  Quick examples //State[population>20] /States/State[starts-with(display, 'C') //State[position()=3] /States/*[starts-with(display, 'C')] //display[starts-with(., 'C')] //display[starts-with(text(), 'C')]

XPath  Event viewer must replace with > must replace <= with <= can use only position(), Band() and timediff() today: <= ]]  WEVTUTIL normal operators >, >=, <=, != …

Logon auditing  Account Logon Event –"authentication event" –when an account database validates credentials  Logon Event –"session event" –every time an Access Token is created or closed

NTLM and Schannel network logon DC Client Server App Traffic DC SMB D/COM In-band NTLM hash Pass-through NTLM hash D/COM Dynamic TCP

Kerberos network logon (basic principle) DC Client Kerberos Server App Traffic TGT: User In-band TGS: Server

Auditing (Interactive Logon) SQL FS WFE SQL FS WFE DC Client Account Logon 1 Logon 2

Logon types TypeValue Interactive2 Network3 Batch4 Service5 Unlock7 NetworkCleartext8 NewCredentials9 RemoteInteractive10 CachedInteractive11 CachedRemoteInteractive12 CachedUnlock13

Status codes StatusValue STATUS_WRONG_PASSWORD0xC000006A STATUS_PASSWORD_RESTRICTION0xC000006C STATUS_LOGON_FAILURE0xC000006D STATUS_ACCOUNT_RESTRICTION0xC000006E STATUS_INVALID_LOGON_HOURS0xC000006F STATUS_INVALID_WORKSTATION0xC STATUS_PASSWORD_EXPIRED0xC STATUS_ACCOUNT_DISABLED0xC STATUS_LOGON_NOT_GRANTED0xC STATUS_LOGON_TYPE_NOT_GRANTED0xC000015B STATUS_ACCOUNT_EXPIRED0xC STATUS_PASSWORD_MUST_CHANGE0xC STATUS_ACCOUNT_LOCKED_OUT0xC

Download err.exe  version 2008 –  most up-to-date version –SDK for Windows 8.1 –

Auditing (Network session) SQL FS WFE SQL FS WFE DC Client Account Logon 1 Logon 2

immediately at logoff Auditing (Interactive logoff) SQL FS WFE SQL FS WFE DC Client Logoff1

SQL FS WFE SQL FS WFE when TCP connection closed Auditing (Network session) DC Client Logoff1

PowerShell notes  Get-WmiObject -Computer -Query  EventCode, InsertionStrings

Timestamps in LDAP  pwdLastSet  lastLogon –non-replicated  lastLogonTimestamp  lockoutTime  badPasswordTime –non-replicated  accountExpires

Logon timestamps Client DC lastLogon 11:38 lastLogon 9:00 lastLogon - -

Logon timestamps (2003 DFL) Client DC lastLogon 11:38 lastLogon 9:00 lastLogon - - lastLogonTimestamp 11:00 lastLogonTimestamp 11:00 lastLogonTimestamp 11:00

lastLogonTimestamp  Requires 2003 domain functional level  Updated only once per 14-random(5) days –DC=idtt,DC=local –msDS-LogonTimeSyncInterval –1+ – minimum without randomization –5+ – randomization starts –14 – the default –...

Authentication failures Client PDC pwd2 DC pwd2 DC pwd1

Authentication failures Client DC badPasswordCount PDC badPasswordCount 7 7 lockoutTime DC badPasswordCount 2 2

Searching in LDAP  (name=m*)  (&(name=m*)(c=cz))  (|(c=cz)(c=de))  (!c=cz)  (whenCreated>= )  (whenCreated>= Z)  (pwdLastSet>= )  (userAccountControl: :=2)

Powershell and DateTime  get-date  [DateTime]::Parse(" ")  (get-date).AddDays(-50)  ((get-date) – [DateTime]::Parse(" ")).Ticks  ([DateTime]::Parse(" ") – [DateTime]::Parse(" ")).Ticks  ((get-date).AddDays(-50) – [DateTime]::Parse(" ")).Ticks

Kurzy Počítačové školy Gopas na GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník. Počítačová škola Gopas – Vaše IT škola života

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.