Checking effective audit policy forest wide (Get-Auditpol)

Too many times dealing with customers I find that audit settings are either poorly configured or not configured at all.  The funny thing is this is not industry dependent etc. some of the customers who you would think have the best audit configurations due to various regulations and specific guidelines for auditing in many cases…

0

DNS Debug Log–Enabling / Retrieving / Searching

The files you need for this: https://psasync.codeplex.com/ – psasync runspaces multi-threading PowerShell module https://github.com/kurtfalde/DNS-Debug – the DNS Debug scripts I’ve been bugged recently (@jepayneMSFT) to post some scripts I put together quite a while back so here they are.  These were written due to an onsite visit with a customer where we knew various DNS…

0

EMET and DEP

  I’ve seen various questions recently around the use of EMET and DEP for protecting processes.  Prior to launching into this I highly recommend reading Rob Hensing’s old but good articles on this at http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx and http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx . Getting first things out of the way DEP is an OS/System Mitigation.  EMET does not have a…

1

LAPS Audit Reporting via WEF PoSH and PowerBI

So I have a few of these dashboard type solutions now for MS products that we’ve put together to help with the management of something where we don’t have a reporting GUI that ships with the product.  The previous blog article covered creation of one of these for the EMET product, this article is basically…

1

EMET Reporting

  So I frequently get customers that ask how do I know what EMET is actually doing out there.  Unfortunately like a number of our products EMET is basically the client.  We do have GPO’s to manage it but there is no included System Center reporting console or the like. If your organization is fortunate…

3

Some PoSH to help with EVT Xpath filter creations

  Over time I have had enough hassles creating xpath filters for Event Log Filtering / WEF setups that I finally decided I would automate some of this to make it easier on myself.  The following code lets you put in the Event Record ID from an Event which you want to find again. If…

0

Restricted Admin mode for RDP in Windows 7 / 2008 R2

  <# EDIT .. there has been a wiki article posted by my colleague John Rodriguez at http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx that discusses RDPRA configuration further which is a good source for information and seeing it’s a WIKI is also a better place to keep updated easily #> This is a follow on post to my previous one…

0

Updated EMET.admx file to enable disabled settings for Default sets

  An EMET customer pointed out that for the Default Sets in the .admx GPO’s the “Disabled” setting wasn’t actually doing anything.  After some review of it appeared that these 3 settings have an <enabledList> however no <disabledList> in the GPO to control them which in turn meant the Disabled button didn’t perform a removal…

0

Creating Exclusions from the Default Sets in EMET ADMX GPO’s

  I’m going to preface this with I do not recommend usage of our .admx GPO’s currently for EMET.  With that being said some customers are required to use them from a compliance perspective so this may help you with your role. If you use the .admx settings for EMET and have ever realized that…

5

KB2871997 and Wdigest – Part 2

  If you got here inadvertently glance at Part 1 as well.  http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx has a great section on this already and discusses how to identify Wdigest use by looking at DC Security Event logs to see if you have any events that show Wdigest usage.  If you are fortunate enough to have a SIEM solution…

1