Stuff n Things

Yep I write about Stuff.. and Things

Securing your PowerShell Operational Logs

So you have actually upgraded to WMF5 and/or Win10 on your systems and have enabled script block...

Author: Kurt Falde Date: 05/13/2017

PSLockDownPolicy and PowerShell Constrained Language Mode

There have been number of great articles about PowerShell both from an Attack perspective as well as...

Author: Kurt Falde Date: 01/20/2017

Checking effective audit policy forest wide (Get-Auditpol)

Too many times dealing with customers I find that audit settings are either poorly configured or not...

Author: Kurt Falde Date: 06/05/2016

DNS Debug Log–Enabling / Retrieving / Searching

The files you need for this: https://psasync.codeplex.com/ – psasync runspaces multi-threading...

Author: Kurt Falde Date: 05/27/2016

EMET and DEP

I’ve seen various questions recently around the use of EMET and DEP for protecting processes. Prior...

Author: Kurt Falde Date: 01/05/2016

LAPS Audit Reporting via WEF PoSH and PowerBI

So I have a few of these dashboard type solutions now for MS products that we’ve put together to...

Author: Kurt Falde Date: 11/18/2015

EMET Reporting

So I frequently get customers that ask how do I know what EMET is actually doing out there....

Author: Kurt Falde Date: 10/02/2015

Some PoSH to help with EVT Xpath filter creations

Over time I have had enough hassles creating xpath filters for Event Log Filtering / WEF setups that...

Author: Kurt Falde Date: 05/27/2015

Restricted Admin mode for RDP in Windows 7 / 2008 R2

<# EDIT .. there has been a wiki article posted by my colleague John Rodriguez at...

Author: Kurt Falde Date: 01/10/2015

Updated EMET.admx file to enable disabled settings for Default sets

  An EMET customer pointed out that for the Default Sets in the .admx GPO’s the “Disabled”...

Author: Kurt Falde Date: 12/11/2014

Creating Exclusions from the Default Sets in EMET ADMX GPO’s

  I’m going to preface this with I do not recommend usage of our .admx GPO’s currently for...

Author: Kurt Falde Date: 12/11/2014

KB2871997 and Wdigest - Part 2

If you got here inadvertently glance at Part 1 as well....

Author: Kurt Falde Date: 11/02/2014

KB2871997 and Wdigest - Part 1

In May of this past year we released a “Security” updated labeled kb2871997 which basically back...

Author: Kurt Falde Date: 11/01/2014

Managing Trusted Sites via Policy for EMET ASR

Part of the new functionality of EMET allows you to block or allow plugins in IE based on the zone...

Author: Kurt Falde Date: 09/28/2014

Testing the ASR feature for Office documents in EMET 5.0

Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write...

Author: Kurt Falde Date: 09/04/2014

Managing IE Sites for EMET with ASR (Attack Surface Reduction)

If you haven’t started testing EMET 5.0 please consider doing so especially if you are charged with...

Author: Kurt Falde Date: 08/27/2014

Setting EMET Local Configuration via GPP

Our PG released EMET 5.0 yeah and it works pretty well and has some cool new functionality such as...

Author: Kurt Falde Date: 08/01/2014

Configuring EMET via GPO/GPP w/o using the ADMX files

[UPDATE 7/23/2014] I've create a wiki page at...

Author: Kurt Falde Date: 04/29/2014

Xpath Event Log Filtering

So I’ve been working on some stuff lately with Event Log Forwarding and Auditing in general and have...

Author: Kurt Falde Date: 03/24/2014

Automatically refreshing EMET GPO’s

If' you’ve tried configuring EMET via GPO’s you’ve probably come to realize that while the GPO’s...

Author: Kurt Falde Date: 03/13/2014

Restricted Admin mode for RDP in Windows 8.1 / 2012 R2

<# EDIT .. there has been a wiki article posted by my colleague John Rodriguez at...

Author: Kurt Falde Date: 08/14/2013

Another WSUS Cleanup Script

Just noticed this as I was looking for a solution for a different WSUS problem and thought I would...

Author: Kurt Falde Date: 04/20/2010

Some thoughts on Adobe Reader and malware

Not sure if anyone saw this bit of news recently where a report put out by ScanSafe indicates that...

Author: Kurt Falde Date: 03/10/2010

Some more logparser & eventcomb stuff for IR work

Counting and sorting by unique text in the strings section: As a follow on to a previous article...

Author: Kurt Falde Date: 01/27/2010

Determining the cause of FCS client performance issues

Realistically this process should work for other AV clients as well but I’m doing it in the context...

Author: Kurt Falde Date: 12/30/2009

Logparsing FCS to find files that were infected

Working an interesting case at the moment where we have multiple files across servers that were...

Author: Kurt Falde Date: 12/22/2009

Dealing with malware that creates .exe’s on file shares

So lately we keep seeing variants of malware that modifies content on file servers in an environment...

Author: Kurt Falde Date: 07/23/2009

How to go green with FCS

I’m not a treehugger but I can definitely see the $$ with power savings. Having said that I had a...

Author: Kurt Falde Date: 05/13/2009

Some Interesting FCS SQL Queries

With a recent case I have an issue where the client count of managed computers in MOM admin console...

Author: Kurt Falde Date: 05/08/2009

Update Views for FCS in WSUS

Nothing profound with this post just detailing out a step I typically recommend to most of our new...

Author: Kurt Falde Date: 04/08/2009

Cheap real time monitoring for Conficker clients

I already did one post about using eventcomb/logparser to look for clients but found a better way to...

Author: Kurt Falde Date: 03/09/2009

WSUS FCS Definitions

This is a follow up post to my previous FCS definitions post.  The first one focused on the...

Author: Kurt Falde Date: 03/05/2009

Blocking and finding Conficker and Downadup systems

EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND...

Author: Kurt Falde Date: 02/09/2009

Understanding FCS Definitions

A fairly frequent question we get is how do FCS definitions work. How do I find just the delta’s for...

Author: Kurt Falde Date: 02/09/2009

Using Logparser + Eventcomb to find malware

During the course of these Conficker / Downadup issues we typically see cases that started because...

Author: Kurt Falde Date: 01/28/2009

How-to: Removal of Conficker in your FCS environment

Another Conficker post :) however this one is aimed at our FCS customers. It semi-applies to other...

Author: Kurt Falde Date: 01/13/2009

More on File Shares and Autorun.inf with regards to malware

So in my last post I mentioned the fact that Conficker/Downad whatever can also have a component...

Author: Kurt Falde Date: 01/12/2009

Malware Win32/Conficker.B W32.Downadup.B

So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS...

Author: Kurt Falde Date: 01/08/2009

Changes to Microsoft Anti-Malware

This doesn’t really affect the FCS world but it is an interesting development....

Author: Kurt Falde Date: 11/19/2008

FCS .adm settings

I’m not really advocating using this and I can’t take credit for this as it was posted on the FCS...

Author: Kurt Falde Date: 11/14/2008

How to add extra scheduled scans or definition updates for FCS

The default option for scheduled scans in FCS is kind of sparse currently and it's something we get...

Author: Kurt Falde Date: 10/23/2008

FCS Intervals

So you've seen the following options with your FCS settings and are wondering how do these work???...

Author: Kurt Falde Date: 10/17/2008

FCS and System Center Essentials

Just found this posting on the SCE forums regarding integration of SCE and FCS:...

Author: Kurt Falde Date: 10/08/2008

Automating WSUS Cleanup

By default WSUS does not clean up anything in an automated manner.  This is not normally too...

Author: Kurt Falde Date: 09/23/2008

FCS SP1

So Forefront Client Security SP1 is out now. To download it go to the Microsoft Update Catalog...

Author: Kurt Falde Date: 08/29/2008

FCS Database Sizing

One common issue we seem to be seeing in FCS support is that the DTS job that transfers data from...

Author: Kurt Falde Date: 08/25/2008