Security Focus: Check Credential Guard Status with PowerShell

In Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting…

0

One-Liner: Use PowerShell to Verify Domain Controller Location

It’s generally a bad thing if a domain controller isn’t in the domain controllers OU. For example, the default domain controllers policy may not be applied. Here’s a cheeky one-liner to check you’re good:   Get-ADDomainController -Filter * | ForEach-Object { if ($_.ComputerObjectDN -notmatch “CN=$($_.Name),OU=Domain COntrollers,$($_.DefaultPartition)”) { Write-Output “$($_.Name) computer object DN set to $($_.ComputerObjectDN)” }…

0

Security Focus: Use PowerShell to List Authentication Policy Silo Members

A while back, I wrote a couple of posts on implementing Authentication Policies and Authentication Policy Silos. Authentication Policy Silos   We can use an Authentication Policy Silo to restrict the authentication scope of high privileged users, e.g. user A can only authenticate against server A and server B… if they try and logon somewhere else,…

0

Ooooh… PnP Cmdlets & Surface Book Fun!

PowerShell just gives and gives and gives. Whilst looking for automated UEFI management options for my Surface Book, I came across the PnPDevice cmdlets. Time for a play! Some code to software-disable some of the numerous cameras that come with the shiny, shiny Surface Book: $IntelCam = Get-PnpDevice -Class MEDIA -FriendlyName “Intel(R) AVStream Camera 2500″…

0

One-Liner: Use PowerShell to Get GPOs Containing User Settings

Last week we used Get-ADObject to find GPOs based on their flags attribute. We targeted GPOs that were configured with user settings enabled and computer settings disabled. This week we’ll find GPOs containing user settings. I’ll show you two ways, the second of which is preferred…   Way, the first – Get-GPOReport  Get-GPO -All | ForEach-Object {…

1

Use PowerShell to Get GPO Status Flag

Here’s an interesting little exercise in using Get-ADObject to see which parts of a Group Policy are enabled or disabled. By parts, I mean the User or Computer settings.     Over to Get-ADObject… #Constants New-Variable -Name UE_CE -Value 0 -Option Constant #User Enabled / Computer Enabled New-Variable -Name UD_CE -Value 1 -Option Constant #User Disabled /…

0

Security Focus One Liner: AD Privileged User and Password Doesn’t Expire

I get to perform security assessments against Active Directory. It’s always fascinating. There’s a check that lists privileged users that are configured to not expire their password. Now, a proportion of flagged accounts are Service Accounts, but, there’s sometimes human-associated administrative accounts listed. This poor administrative practice still happens… after all these years of Active Directory, and after all these…

0

Parameter ValueFromPipelineByPropertyName Arguement

A customer pointed out that ValueFromPipelineByPropertyName wasn’t working as expected in one of their scripts. I wrote a very simple code sample to demonstrate what the syntax should look like and to show the functionality in action. Hang on, I’m getting ahead of myself… Param ([parameter(ValueFromPipelineByPropertyName=$true)] [String[]]$MachineName) The Param() statement let’s us define parameters for…

0

Security Focus: Orphaned AdminCount -eq 1 AD Users

AdminSDHolder and AdminCount have appeared in a few recent posts. In fact, in addition to this post, I’ve got another one on this topic lined up. It’ll be the last (for now), I promise! Anyway, to business… It’s long been known that objects that have been marked as AdminCount = 1 can become orphaned.   Consider…

2

Back to Basics: Change an Attribute on a File

Today’s post is short and sweet… just like the PoSh Progeny! Here’s a short and sweet way to manipulate file attributes. Stuff like ‘Read-only’ and ‘File is ready for archiving’ in the below image.   First up, add an attribute. We have a file that is marked as Archive and Offline. Time to add ReadOnly. #Attribute…

2