Understanding Domain Controller Shared Secrets

Overview

Communication between domain controllers (DC) can be confusing and the technical information from Microsoft doesn’t always help. This article is an attempt to provide a simple description of the communication between two domain controllers and why machine accounts and their passwords really matter.

Domain Controllers communicate with each other using a shared secret. This is basically the local machine account and the local password hash value. The DC stores the machine name of any other domain controllers, and uses the local machine account and the stored local password hash to establish a connection and pull domain account change information to the local DC, as required. Each DC stores the other computers that are also a DC, and uses the password hash for that computer’s machine account to establish that connection each time it attempts to communicate. Every DC has a machine account (a machine account represents the entire machine, not just one person) in Active Directory, and the password hash is stored in the registry.

Continue reading “Understanding Domain Controller Shared Secrets”

SIEM Overview

Introduction

Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Enable Windows Defender Application Guard in Windows 10

Windows Defender Application Guard is an extra security feature of Windows 10 that rolled out several years ago. When enabled, it implements a sandbox for the Microsoft Edge browser, including Internet Explorer supported sites using Edge. Windows Defender Application Guard for Microsoft Edge is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating systems, apps, and data.

Three core features of Windows Defender Application Guard:

Isolated Browsing – Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
Help Safeguard your PC – Windows Defender Application Guard starts up every time you visit a website that isn’t work-related to help keep potentially malicious attacks away from your PC.
Malware Removal – Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.

Windows Defender Application Guard uses Hyper-V virtualization technology to provide protection against targeted threats. It adds a special virtual layer between the browser and the OS, preventing web apps and the browser from accessing the actual data stored on the disk drive and in memory.

Prior to Windows 10 build 17063, the feature was exclusively available to Enterprise editions of Windows 10. Now, the feature is available to Windows 10 Pro users.

If you are running Windows 10 Pro build 17063 and above, you can try it in action.
Continue reading “Enable Windows Defender Application Guard in Windows 10”

History of PowerShell

PowerShell is a tool developed by Microsoft to provide a powerful command-line interface to allow users to perform various automation efforts. If you are aware of Linux and mac command line, the PowerShell command-line is very similar in purpose. PowerShell version 1.o was first released in 2006 to support Windows XP SP2, Windows Server 2003 SPI, and Windows Vista. The newest version is PowerShell 7, which is the replacement for PowerShell Core 6.x products as well as Windows PowerShell 5.1, which is the previous supported Windows PowerShell version.

Development

Every version of Microsoft Windows has included a command line utility for basic scripting operations to help manage the Operating System, basically an interface similar to the older MS-DOS interface. The user would create a batch file that included basic scripting language commands which could be used to automate various tasks. The automation abilities of this older interface was limited in scope and didn’t allow full automation of all Windows administrative operations. Microsoft addressed these concerns by the introduction of the Windows Script Host in 1998 with Windows 98, and its command-line based host named cscript.exe. The problem was the Windows Script Host still had limited abilities and was quickly seen by many as more helpful to hackers than to administrators.

By 2002, Microsoft was developing a new command-line management tool called Monad. Jeffrey Snover published a white paper in August 2002, called the “Monad Manifesto”, and this paper discussed the concept of translating Unix tools to the Windows platform. Since Windows is very different from Unix, this is much harder than it might seem.

Monad was first demonstrated at the Professional Development Conference (PDC) in 2003, later it was released to private beta, and was eventually published to public beta in June 2005. By April 2006, Microsoft had announced the initial Monad product had been renamed Windows PowerShell.

PowerShell v2.0 development began before PowerShell v1.0 was shipped.

Initial Release

Release Candidate 2 of PowerShell version 1 was released in September 2006, with the formal release in November 2006 in Barcelona. PowerShell for earlier versions of Windows was released in January 2007. PowerShell v2.0 was completed and released to manufacturing in August 2009,and it was part of Windows 7 and Windows Server 2008 R2.

Release History

Windows PowerShell 1.0

PowerShell 1.0 was released in November 2006 for Windows XP SP2, Windows Server 2003 SP1 and Windows Vista. It is an optional component of Windows Server 2008.

Windows PowerShell 2.0

Windows PowerShell ISE v2.0 was released on Windows 7, and it was an integrated development environment for PowerShell scripts. The most remarkable feature introduced, with the help of WS-management, allowed you to write your commands to a remote machine.

PowerShell 2.0 is integrated with Windows 7 and Windows Server 2008 R2 and is released for Windows XP with Service Pack 3, Windows Server 2003 with Service Pack 2, and Windows Vista with Service Pack 1.

PowerShell v2 includes changes to the scripting language and hosting API, in addition to including more than 240 new cmdlets.

New features of PowerShell 2.0 include:

PowerShell remoting: Using WS-Management, PowerShell 2.0 allows scripts and cmdlets to be invoked on a remote machine or a large set of remote machines.
Background jobs: Also called a PSJob, it allows a command sequence (script) or pipeline to be invoked asynchronously. Jobs can be run on the local machine or on multiple remote machines. An interactive cmdlet in a PSJob blocks the execution of the job until user input is provided.
Transactions: Enable cmdlet and developers can perform transactional operations. PowerShell 2.0 includes transaction cmdlets for starting, committing, and rolling back a PSTransaction as well as features to manage and direct the transaction to the participating cmdlet and provider operations. The PowerShell Registry provider supports transactions.
Advanced functions: These are cmdlets written using the PowerShell scripting language. Initially called “script cmdlets”, this feature was later renamed “advanced functions”.
Modules: This allows script developers and administrators to organize and partition PowerShell scripts in self-contained, reusable units. Code from a module executes in its own self-contained context and does not affect the state outside the module. Modules can define a restricted runspace environment by using a script. They have a persistent state as well as public and private members.
Script debugging: It allows breakpoints to be set in a PowerShell script or function. Breakpoints can be set on lines, line & columns, commands and read or write access of variables. It includes a set of cmdlets to control the breakpoints via script.
You can get more information about PowerShell v2 here.
Microsoft recommends you no longer support, install, or use PowerShell v2

Windows PowerShell 3.0

PowerShell 3.0 is integrated with Windows 8 and with Windows Server 2012. Microsoft has also made PowerShell 3.0 available for Windows 7 with Service Pack 1, for Windows Server 2008 with Service Pack 1, and for Windows Server 2008 R2 with Service Pack 1.

PowerShell 3.0 is part of a larger package, Windows Management Framework 3.0 (WMF3), which also contains the WinRM service to support remoting. Microsoft made several Community Technology Preview releases of WMF3. An early community technology preview 2 (CTP 2) version of Windows Management Framework 3.0 was released on 2 December 2011. Windows Management Framework 3.0 was released for general availability in December 2012 and is included with Windows 8 and Windows Server 2012 by default.

New features in PowerShell 3.0 include:

Scheduled jobs: Jobs can be scheduled to run on a preset time and date using the Windows Task Scheduler infrastructure.
Session connectivity: Sessions can be disconnected and reconnected. Remote sessions have become more tolerant of temporary network failures.
Improved code writing: Code completion (IntelliSense) and snippets are added. PowerShell ISE allows users to use dialog boxes to fill in parameters for PowerShell cmdlets.
Delegation support: Administrative tasks can be delegated to users who do not have permissions for that type of task, without granting them perpetual additional permissions.
Help update: Help documentations can be updated via Update-Help command.
Automatic module detection: Modules are loaded implicitly whenever a command from that module is invoked. Code completion works for unloaded modules as well.
You can get more information about PowerShell v3 here.

Windows PowerShell 4.0

PowerShell 4.0 is integrated with Windows 8.1 and with Windows Server 2012 R2. Microsoft has also made PowerShell 4.0 available for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2012.

New features in PowerShell 4.0 include:

Desired State Configuration: Declarative language extensions and tools that enable the deployment and management of configuration data for systems using the DMTF management standards and WS-Management Protocol
New default execution policy: On Windows Servers, the default execution policy is now RemoteSigned.
Save-Help: Help can now be saved for modules that are installed on remote computers.
Enhanced debugging: The debugger now supports debugging workflows, remote script execution and preserving debugging sessions across PowerShell session reconnections.
-PipelineVariable switch: A new ubiquitous parameter to expose the current pipeline object as a variable for programming purposes
Network diagnostics to manage physical and Hyper-V’s virtualized network switches
Where and ForEach method syntax provides an alternate method of filtering and iterating over objects.
You can get more information about PowerShell v4 here.

Windows PowerShell 5.0

Windows Management Framework (WMF) 5.0 RTM which includes PowerShell 5.0 was re-released to web on 24 February 2016, following an initial release with a severe bug.

Key features included:

The new class keyword that creates classes for object-oriented programming.
The new enum keyword that creates enums.
Extending support for switch management to layer 2 network switches.
Debugging for PowerShell background jobs and instances of PowerShell hosted in other processes (each of which is called a “runspace”)
Desired State Configuration (DSC) Local Configuration Manager (LCM) version 2.0
DSC partial configurations
DSC Local Configuration Manager meta-configurations
Authoring of DSC resources using PowerShell classes
You can get more information about PowerShell v5 here.

Windows PowerShell 5.1

It was released along with the Windows 10 Anniversary Update in August 2016, and in Windows Server 2016. PackageManagement now supports proxies, PSReadLine now has ViMode support, and two new cmdlets were added: Get-TimeZone and Set-TimeZone. The LocalAccounts module allows for adding/removing local user accounts. A preview for PowerShell 5.1 was released for Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 in July 2016, and was formally released in January 2017.

PowerShell 5.1 is the first version to come in two editions of “Desktop” and “Core”. The “Desktop” edition is the continuation of the traditional Windows PowerShell that runs on full .NET Framework stack. The “Core” edition runs on .NET Core and is bundled with Windows Server 2016 Nano Server. In exchange for smaller footprint, the “Core” version lacks some features such as the cmdlets to manage clipboard or join a computer to a domain, WMI version 1 cmdlets, Event Log cmdlets, and profiles. This was the final version of PowerShell made exclusively for Windows.

PowerShell Core 6

PowerShell Core 6.0 was first announced in August 2016, when Microsoft unveiled PowerShell Core and also announced the decision to make the product cross-platform, independent of Windows, free, and open source. It achieved general availability in January 2018 for Windows, macOS, and Linux. It has its own support lifecycle and adheres to the Microsoft lifecycle policy that is introduced with Windows 10: Only the latest version of PowerShell Core is formally supported. Microsoft expects to release one minor version for PowerShell Core 6.0 every six months.

The most significant change in this version of PowerShell is the expansion to the other platforms. For Windows administrators, this version of PowerShell did not include any major new features. In an interview with the community in January 2018, the PowerShell team was asked to list the top 10 most exciting things that would happen for a Windows IT professional who would migrate from Windows PowerShell 5.1 to PowerShell Core 6.0; in response, Angel Calvo of Microsoft could only name two: cross-platform and open-source.

According to Microsoft, one of the new features of PowerShell 6.1 is “Compatibility with 1900+ existing cmdlets in Windows 10 and Windows Server 2019.” Still, no details of these cmdlets can be found in the full version of the change log. Microsoft later professes that this number was insufficient as PowerShell Core failed to replace Windows PowerShell 5.1 and gain traction on Windows. It was, however, popular on Linux.

PowerShell Core 6.2 is focused primarily on performance improvements, bug fixes, and smaller cmdlet and language enhancements that improved developer productivity.

PowerShell 7

PowerShell 7 is the replacement for PowerShell Core 6.x products as well as Windows PowerShell 5.1, which was the last supported Windows PowerShell version. The focus in development was to make PowerShell 7 a viable replacement for Windows PowerShell 5.1, i.e. to have near parity with Windows PowerShell in terms of compatibility with modules that ship with Windows.

New features in PowerShell 7 include:

Near parity with Windows PowerShell in terms of compatibility with built-in Windows modules
A new error view
The Get-Error cmdlet
Pipeline chaining operators that allow conditional execution of the next cmdlet in the pipeline
You can get more information about PowerShell v7 here.

Use of PowerShell

PowerShell is a fully supported scripting language that is actively under development by Microsoft and it also has a strong user community. PowerShell is a modern command shell that includes the same features as other popular shells. PowerShell accepts and returns .NET objects, which makes it a very powerful tool. The shell includes the following features:

Robust command-line history
Tab completion and command prediction
Supports command and parameter aliases
Pipeline for chaining commands
In-console help system
Extensible through functions, classes, scripts, and modules
Extensible formatting system for easy output
Extensible type system for creating dynamic types
Built-in support for common data formats like CSV, JSON, and XML

There are multiple sources to help you get started with PowerShell. Starting PowerShell in Windows is really easy.

Resources

Wikipedia – PowerShell

Microsoft – PowerShell

SIEM Overview

Introduction

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

Summary of Capabilities

Continue reading “SIEM Overview”

Defending Against Mimikatz in Windows 10

A offensive security tool developed by Benjamin Delpy in 2011 is named Mimikatz. Mimikatz is a free tool that tries to scrape the memory of the target computer looking for the process responsible for Windows authentication(LSASS) to reveal cleartext passwords and NTLM hashes that the attacker can then use to attack other computers on the same network. The attacker can then escalate their account privilege either by authenticating with the clear text credentials they just stole or by simply passing the stolen hash.

Mimikatz has been used by nation-state attackers, the first known case being the 2011 hack of the now-defunct Dutch certificate authority DigiNotar. The attackers issued bogus certificates for Google and used them to spy on the Gmail accounts of several hundred thousand Iranian users. Mimikatz has since been used by many malware creators to automate the spread of their worms, including the NotPetya attack and the 2017 BadRabbit ransomware outbreak. Mimikatz will likely remain an effective offensive security tool on Windows platforms for many years to come.

Mimikatz exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also let Mimikatz exploit this feature by dumping memory and extracting the passwords.

Solution

Microsoft has reacted (somewhat slowly) to Mimikatz by publishing changes to address the security vulnerabilities identified, but you must apply the patches and recommendations below to address this security issue.

Continue reading “Defending Against Mimikatz in Windows 10”

Understanding Domain Controller Shared Secrets

Overview

Domain Controllers communicate with each other using a shared secret. This is basically the local machine account and the local password hash value. The DC stores the machine name of any other domain controllers, and uses the local machine account and the stored local password hash to establish a connection and pull domain account change information to the local DC, as required. Each DC stores the other computers that is also a DC, and uses the password hash for that computers machine account to establish that connection each time it attempts to communicate. Every DC has a machine account (a machine account represents the entire machine, not just one person) in Active Directory, and the password hash is stored in the registry.

Continue reading “Understanding Domain Controller Shared Secrets”

Building a Successful Cybersecurity Strategy

When thinking of a strategy to address cybersecurity, your strategy must be one that is driven by a top-down management emphasis to build cybersecurity into everything a company does and builds. Cybersecurity can not be an afterthought or something that is added later, but it must be designed and implemented from the first day. If you have gaps today, they must be fixed and a management system must be put into place to prevent this type of issue in the future.

The first thing you must accomplish when building a mature strategy to fix your imperfect cybersecurity status is to perform a formal risk assessment. This will allow your team to compare your existing controls against an established security framework, like NIST, SANS, or CIS. A cybersecurity framework is a predefined set of controls that are identified and defined by leading cybersecurity organizations to help you enhance cybersecurity strategies within your enterprise. This will allow you to document what cybersecurity controls are already in place and how effective they are, and what controls are missing or ineffective. Once you have accomplished this step, it allows you to focus your change effort on the controls that will have the most impact to incrementally improve security with each change to the existing environment.

Now that you have a written list of needs you have a better understanding of where your team currently stands, including what controls are currently effective and which controls are missing or poorly implemented. This will also help you determine if you have the budget and personnel to make the required changes. You’ll now have a much better idea of where the biggest security gaps exist and it helps you assign a priority and schedule to each required change.

This might also be a good time to decide if outsourcing the effort, either in part or in full, might be a better solution for your business. Do you have the time and budget to train internal resources for the effort required to resolve the items identified for remediation? If you must hire new personnel, will you have time to onboard and complete orientation or training before you can start remediation of identified security issues, or should you outsource the remediation to an external resource with the experience and skill to quickly resolve your issues?

Continue reading “Building a Successful Cybersecurity Strategy”

Best Hacking Tools Of 2020: Bloodhound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment so that an attacker can quickly understand your AD trust relationships. Attackers can use BloodHound to easily identify highly complex attack paths to find the quickest path to total dominmation, and defenders can use it to identify and eliminate those same attack paths before an attacker can compromise your network.

Enumeration Options

CollectionMethod – The collection method to use. This parameter accepts a comma separated list of values. Has the following potential values (Default: Default):
- Default – Performs group membership collection, domain trust collection, local admin collection, and session collection
- Group – Performs group membership collection
- LocalAdmin – Performs local admin collection
- RDP – Performs Remote Desktop Users collection
- DCOM – Performs Distributed COM Users collection
- GPOLocalGroup – Performs local admin collection using Group Policy Objects
- Session – Performs session collection
- ComputerOnly – Performs local admin, RDP, DCOM and session collection
- LoggedOn – Performs privileged session collection (requires admin rights on target systems)
- Trusts – Performs domain trust enumeration
- ACL – Performs collection of ACLs
- Container – Performs collection of Containers
- ObjectProps – Collects object properties such as LastLogon and DisplayName
- DcOnly – Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup.
- All – Performs all Collection Methods except GPOLocalGroup
SearchForest – Search all the domains in the forest instead of just your current one
Domain – Search a particular domain. Uses your current domain if null (Default: null)
Stealth – Performs stealth collection methods. All stealth options are single threaded.
SkipGCDeconfliction – Skip Global Catalog deconfliction during session enumeration. This can speed up enumeration, but will result in possible inaccuracies in data.
ExcludeDc – Excludes domain controllers from enumeration (avoids Microsoft ATA flags 🙂 )
ComputerFile – Specify a file to load computer names/IPs from
OU – Specify which OU to enumerate

Continue reading “Best Hacking Tools Of 2020: Bloodhound”

Windows End-Of-Life Schedule

There are Windows end-of-life dates you should be monitoring. Windows 7 and Windows Server 2008 reached end of life in January 2020. Once a system has reached end-of-life you will no longer receive support from Microsoft, and there will be compliance questions as auditors will have issues with unsupported production systems having potential security vulnerabilities. You should develop a written plan to upgrade existing systems to a supported version, test the plan to verify you won’t have any issues, and implement the plan before your existing systems reach end-of-life.

When deploying a new system to production, you deployment plan should include a plan to either upgrade or retire the system before they reach their projected vendor end-of-life date.

Continue reading “Windows End-Of-Life Schedule”

Enable Windows Defender Application Guard in Windows 10

How to Enable Windows Defender Application Guard in Windows 10

Windows Defender Application Guard is an extra security feature of Windows 10 that rolled out more than 3 years ago. When enabled, it implements a sandbox for the built-in web browsers in Windows 10, Edge and Internet Explorer. Windows Defender Application Guard for Microsoft Edge is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating systems, apps, and data.

Three core features of Windows Defender Application Guard:

Isolated Browsing – Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
Help Safeguard your PC – Windows Defender Application Guard starts up every time you visit a website that isn’t work-related to help keep potentially malicious attacks away from your PC.
Malware Removal – Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.

Prior to Windows 10 build 17063, the feature was exclusively available to Enterprise editions of Windows 10. Now, the feature is available to Windows 10 Pro users.

If you are running Windows 10 Pro build 17063 and above, you can try it in action.
Continue reading “Enable Windows Defender Application Guard in Windows 10”

Allow Only One Instance of Microsoft Outlook

Microsoft Outlook is the Office product that allows users to gain access to their emails, contacts, and other information. It is used by many businesses and most times people set it to automatically start when they log into Windows.

Users can also open multiple instances of Outlook, either on purpose or by accident, which can cause confusion and wasted resources. This default behavior can be easily modified with a small change to the program shortcut.

To avoid multiple Outlook instances, simply add the “/recycle” switch to the command line target of the Outlook’s shortcut.

Right-click the Outlook shortcut in your start menu, select “More…”, then select the menu item “Open file location”.
Right-click the Outlook shortcut in the file folder, and click on “Properties”.
Select the “Shortcut” tab.
In the Target field, append “/recycle” to the end of the command.
Click OK to exit the property dialog

The next time you start Outlook, it will only allow one instance of the program. If the user attempts to restart a second instance, nothing appears to happen.

Windows End-Of-Life Schedule

There are Windows end-of-life dates you should be monitoring. Windows 7 reaches end of life in January 2020. Once a system has reached end-of-life you will no longer receive support from Microsoft, and there will be compliance questions as auditors will have issues with unsupported production systems having potential security vulnerabilities. You should develop a written plan to upgrade existing systems to a supported version, test the plan to verify you won’t have any issues, and implement the plan before your existing systems reach end-of-life.

When deploying a new system to production, you deployment plan should include a plan to either upgrade or retire the system before they reach their projected vendor end-of-life date.

This chart from Microsoft will help you understand the end-of-life dates for the various versions of Windows.

Summary===================================Windows XP - 04/08/2014Windows Vista  - 04/11/2017Windows 7  - 01/14/2020Windows 8/8.1  - 01/10/2023Windows 10 - 10/14/2025Windows Server 2003- 07/14/2015Windows Server 2003 R2 - 07/14/2015Windows Server 2008- 01/14/2020Windows Server 2008 R2 - 01/14/2020Windows Server 2012- 10/10/2023Windows Server 2012 R2 - 10/10/2023Windows Server 2016- 01/12/2027Windows Server 2019- 01/09/2029

Defending Against Mimikatz

Solution

The basic procedures to address the issues identified are:

1. 1. Limit administrator privileges to the smallest group possible. Even if you have thousands of user accounts, you should probably only have 2-10 administrator accounts. Start with two accounts and force users to justify any additional accounts added to the administrator group.
  2. The next thing that you should do is upgrade the schema and functional level of your forest and domain to at least 2012 R2. This domain functional level adds a fairly new group called “Protected Users”. Along with other protections, the members of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. These changes provide powerful protections that make Mimikatz almost worthless.
  3. Verify KB2871997 has been installed to apply additional required security. After you install this security update, the default setting for non-protected users on Windows 7 and Windows 8 is to not force clear leaked logon session credentials. To override this default you can add the following registry dword, TokenLeakDetectDelaySecs, and set it to a recommended value of 30 seconds.
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
```
  4. Stop storing passwords in memory by changing the “UseLogonCredential” registry setting to ‘0’ instead of the default value of “1” and passwords are no longer available to Mimikatz .
```
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
```
  5. Start monitoring your systems for unauthorized software and malware, which should help identify Mimikatz installation and activity.

You’ll have to test these changes to see what breaks, but the idea is to implement some fairly basic changes to protect your network.

Summary

Implementing these simple changes make a successful Mimikatz attack much more difficult.

Troubleshooting RDP connections to an Azure VMs

One of the most important aspects of placing your computers on Azure is the ability to connect to them using the Remote Desktop Protocol (RDP) to your manage your Windows-based virtual machines (VM). The issue with RDP can be with the Remote Desktop service on the VM, the network connection, or the Remote Desktop client on your host computer. We will attempt to guide you through some of the most common methods to troubleshoot and resolve common RDP connection issues.

The steps are displayed in the general order, but you should try reconnecting to the VM after each troubleshooting step.

Continue reading “Troubleshooting RDP connections to an Azure VMs”

Understanding Domain Controller Shared Secrets

Overview

Domain Controllers communicate with each other using a shared secret. This is basically the local machine account and the local password hash value. The DC stores the machine name of any other domain controllers, and uses the local machine account and the stored local password hash to establish a connection and pull domain account change information to the local DC, as required. Each DC stores the other computers that is also a DC, and uses the password hash for that computers machine account to establish that connection each time it attempts to communicate. Every DC has a machine account (a machine account represents the entire machine, not just one person) in Active Directory, and the password hash is stored in the registry.

Continue reading “Understanding Domain Controller Shared Secrets”

Best Hacking Tools Of 2017: Nessus Vulnerability Scanner

Developed by Tenable Network Security, this tool is one of the most popular vulnerability scanners on he market. Tenable provides different versions, depending on your needs: Nessus Home, Nessus Professional, Nessus Manager, and Nessus Cloud.

You can use Nessus to scan multiple types of vulnerabilities that include remote access flaw detection, misconfiguration alert, denial of services against TCP/IP stack, preparation of PCI DSS audits, malware detection, sensitive data searches, etc. Nessus can also call a popular external tools.

Nessus is supported by a variety of platforms including Windows, Mac OS, and popular Linux distributions like Debian, Ubuntu, Kali Linux, etc.

You can get more information and download the Nessus Home (free) tool here. The commercial version is available here.

Best Hacking Tools Of 2017: ADBrute

If you have an Active Directory environment, you want to make it as secure as possible. ADBrute allows you to test the security of your Active Directory users. When a users network account of a domain user expires or when the user account is locked due to incorrect login attempts, the domain administrator may reset the password to the default password based on company policy. If your users do not change their password after it has been reset by the administrator, it creates a major security hole in your security.

A malicious user could easily use the default password to login into the victim’s user accounts, delete, read and send mails or access other resources on the network.

ADBrute is simple to use:

Run ADBrute.
Enter the name of the domain controller and valid login credentials to connect to the Active Directory. The user can be any user on the domain.
Click on Login and wait till the entire user list for your organization is populated from the AD.
You can double click on a User to view additional information.
Enter the default password for your organization and press the start button.
Sit back until the program scans and enumerates users who use the default password.
You can export both the lists, the entire user list as well as the weak user list to three different file formats, .csv, .txt and .xls.

You can get more information and download the tool here.

Best Hacking Tools Of 2017: Metasploit

So people might know Metasploit as collection of exploit tools, but it is really an infrastructure that you can use to build your own custom tools. This very popular free cybersecurity tool will help you locate vulnerabilities on multiple platforms. With more than 200,000 users and contributors, Metasploit will help you to get insights and information about the weaknesses on your systems.

You can get more information and download the tool here.

Windows Run Commands

The Windows Run command is used to open an application or document whose path is known. It functions more or less like a single-line command line interface. It can help abbreviate the process of accessing a specific utility or application without having to navigate other menus or select from utility features.

Windows Run commands:

Request	Command
Quick Access To C: drive	\
Open the current user’s home folder	.
Open up the Users folder	..
Open Documents Folder	documents
Open Videos folder	videos
Open Downloads Folder	downloads
Open Favorites Folder	favorites
Open Recent Folder	recent
Open Recent Folder	logoff
Open Pictures Folder	pictures
Windows Sideshow	control.exe /name Microsoft.WindowsSideshow
Windows CardSpace	control.exe /name Microsoft.cardspace
Windows Anytime Upgrade	WindowsAnytimeUpgradeui
Taskbar and Start Menu	control.exe /name Microsoft.TaskbarandStartMenu
Troubleshooting	control.exe /name Microsoft.Troubleshooting
User Accounts	control.exe /name Microsoft.UserAccounts
Adding a new Device	devicepairingwizard
Add Hardware Wizard	hdwwiz
Advanced User Accounts	netplwiz
Advanced User Accounts	azman.msc
Backup and Restore	sdclt
Bluetooth File Transfer	fsquirt
Calculator	calc
Certificates	certmgr.msc
Change Computer Performance Settings	systempropertiesperformance
Change Data Execution Prevention Settings	systempropertiesdataexecutionprevention
Change Data Execution Prevention Settings	printui
Character Map	charmap
ClearType Tuner	cttune
Color Management	colorcpl
Command Prompt	cmd
Component Services	comexp.msc
Component Services	dcomcnfg
Computer Management	compmgmt.msc
Computer Management	compmgmtlauncher
Connect to a Network Projector	netproj
Connect to a Projector	displayswitch
Control Panel	control
Create A Shared Folder Wizard	shrpubw
Create a System Repair Disc	recdisc
Credential Backup and Restore Wizard	credwiz
Data Execution Prevention	systempropertiesdataexecutionprevention
Date and Time	timedate.cpl
Default Location	locationnotifications
Device Manager	devmgmt.msc
Device Manager	hdwwiz.cpl
Device Pairing Wizard	devicepairingwizard
Diagnostics Troubleshooting Wizard	msdt
Digitizer Calibration Tool	tabcal
DirectX Diagnostic Tool	dxdiag
Disk Cleanup	cleanmgr
Disk Defragmenter	dfrgui
Disk Management	diskmgmt.msc
Display	dpiscaling
Display Color Calibration	dccw
Display Switch	displayswitch
DPAPI Key Migration Wizard	dpapimig
Driver Verifier Manager	verifier
Ease of Access Center	utilman
EFS Wizard	rekeywiz
Event Viewer	eventvwr.msc
Fax Cover Page Editor	fxscover
File Signature Verification	sigverif
Font Viewer	fontview
Game Controllers	joy.cpl
Getting Started	gettingstarted
IExpress Wizard	iexpress
Getting Started	irprops.cpl
Install or Uninstall Display Languages	lusrmgr
Internet Explorer	iexplore
Internet Options	inetcpl.cpl
iSCSI Initiator Configuration Tool	iscsicpl
Language Pack Installer	lpksetup
Local Group Policy Editor	gpedit.msc
Local Security Policy	secpol.msc
Local Users and Groups	lusrmgr.msc
Location Activity	locationnotifications
Magnifier	magnify
Malicious Software Removal Tool	mrt
Manage Your File Encryption Certificates	rekeywiz
Math Input Panel	mip
Microsoft Management Console	mmc
Microsoft Support Diagnostic Tool	msdt
Mouse	main.cpl
NAP Client Configuration	napclcfg.msc
Narrator	narrator
Network Connections	ncpa.cpl
New Scan Wizard	wiaacmgr
Notepad	notepad
ODBC Data Source Administrator	odbcad32
ODBC Driver Configuration	odbcconf
On-Screen Keyboard	osk
Paint	mspaint
Pen and Touch	tabletpc.cpl
People Near Me	collab.cpl
Performance Monitor	perfmon.msc
Performance Options	systempropertiesperformance
Phone and Modem	telephon.cpl
Phone Dialer	dialer
Power Options	powercfg.cpl
Presentation Settings	presentationsettings
Print Management	printmanagement.msc
Printer Migration	printbrmui
Printer User Interface	printui
Private Character Editor	eudcedit
Problem Steps Recorder	psr
Programs and Features	appwiz.cpl
Protected Content Migration	dpapimig
Region and Language	intl.cpl
Registry Editor	regedit
Registry Editor 32	regedt32
Remote Access Phonebook	rasphone
Remote Desktop Connection	mstsc
Resource Monitor	resmon
Resultant Set of Policy	rsop.msc
SAM Lock Tool	syskey
Screen Resolution	desk.cpl
Securing the Windows Account Database	syskey
Services	services.msc
Set Program Access and Computer Defaults	computerdefaults
Share Creation Wizard	shrpubw
Shared Folders	fsmgmt.msc
Snipping Tool	snippingtool
Sound	mmsys.cpl
Sound recorder	soundrecorder
SQL Server Client Network Utility	cliconfg
Sticky Notes	stikynot
Stored User Names and Passwords	credwiz
Sync Center	mobsync
System Configuration	msconfig
System Configuration Editor	sysedit
System Information	msinfo32
System Properties	sysdm.cpl
System Properties (Advanced Tab)	systempropertiesadvanced
System Properties (Computer Name Tab)	systempropertiescomputername
System Properties (Hardware Tab)	systempropertieshardware
System Properties (Remote Tab)	systempropertiesremote
System Properties (System Protection Tab)	systempropertiesprotection
System Restore	rstrui
Task Manager	taskmgr
Task Scheduler	taskschd.msc
Trusted Platform Module (TPM) Management	tpm.msc
User Account Control Settings	useraccountcontrolsettings
Utility Manager	utilman
Version Reporter Applet	winver
Volume Mixer	sndvol
Windows Action Center	wscui.cpl
Windows Activation Client	slui
Windows Anytime Upgrade Results	windowsanytimeupgraderesults
Windows CardSpace	infocardcpl.cpl
Windows Disc Image Burning Tool	isoburn
Windows DVD Maker	dvdmaker
Windows Easy Transfer	migwiz
Windows Explorer	explorer
Windows Fax and Scan	wfs
Windows Features	optionalfeatures
Windows Firewall	firewall.cpl
Windows Firewall with Advanced Security	wf.msc
Windows Journal	journal
Windows Media Player	wmplayer
Windows Memory Diagnostic Scheduler	mdsched
Windows Mobility Center	mblctr
Windows Picture Acquisition Wizard	wiaacmgr
Windows PowerShell	powershell
Windows PowerShell ISE	powershell_ise
Windows Remote Assistance	msra
Windows Repair Disc	recdisc
Windows Script Host	wscript
Windows Update	wuapp
Windows Update Standalone Installer	wusa
Version Windows	winver
WMI Management	wmimgmt.msc
WordPad	write
XPS Viewer	xpsrchvw
Import to Windows Contacts	wabmig
Tablet PC Input Panel	tabtip
Windows Contacts	wab
Windows Firewall with Advanced Security	wf
Windows Help and Support	winhlp32
Windows Script Host	wscript
WMI Tester	wbemtest
Access Screen Resolution page	desk.cpl
Access Mouse properties	main.cpl
Access Windows Action Center	wscui.cpl
Access Network Adapters	ncpa.cpl
Access Power Option	powercfg.cpl
Access the Programs and Features Window	appwiz.cpl
Access the System Properties	sysdm.cpl
Access the Windows Firewall	firewall.cpl

If you need more help, there is a lot of information out there on this subject.

Microsoft Open-Source and Cross Platform Development

The Microsoft .Net framework has been around for about 14 years. While C#, C++, VB.NET, and F# seem to be the most supported and used languages to build .NET applications, there are close to 50 languages that are supported by the .NET framework.

In 2014, Microsoft moved to open-source .NET by introducing .NET Core. Most of the .NET components (compilers, languages, libraries, and tools) are now open-source and available in Github.

The new open-source component of .NET is named .NET Corevand has even more developers embracing what Microsoft is doing with .NET and the associated programming languages. Microsoft has acquired Xamarin and its products so developers can now use C# to build Android, iOS, and Windows mobile apps.

Is now the time to seriously consider the Microsoft .Net framework for your development?

Managing Active Directory with PowerShell

There are plenty of maintenance tasks that take a significant amount of time to manually perform. They are often avoided or left undone because there are usually more important tasks that must be completed using the limited resources available to the IT technicians.

In this article by Luca Sturlese, we see how many of these maintenance tasks can be completed using PowerShell scripts.

Inactive Users:

#requires -version 2<#.SYNOPSIS  Find and manage inactive Active Directory users..DESCRIPTION  This script allows you to specify the criteria required to identify inactive users within your AD environment. This script also allows  for the management of found users. Management of users includes one or more of the following options:- Reporting- Disabling Users- Deleting Users.PARAMETER SearchScope  Optional. Determines the search scope of what type of user you would like to include in the inactive user search. Options available are:   - All: Default option. All user types including all standard users, service accounts and never logged on accounts.   - OnlyInactiveUsers  : Only standard user accounts. This option excludes service accounts and never logged on accounts.   - OnlyServiceAccounts: Only server accounts. This option excludes standard user accounts and never logged on accounts.   - OnlyNeverLoggedOn  : Only never logged on accounts. This option excludes standard user accounts and service accounts.   - AllExceptServiceAccounts   : All user account types excluding service accounts.   - AllExceptNeverLoggedOn : All user account types excluding never logged on accounts.   Note: If not specified, the default search scope is All (i.e. all user accounts, service accounts and never logged on accounts)..PARAMETER DaysInactive  Optional. The number of days a user account hasn't logged into the domain for in order to classify it as inactive. The default option is 90  days, which means any user account that hasn't logged into the domain for 90 days or more is considered inactive and therefore managed by this  script..PARAMETER ServiceAccountIdentifier  Optional. The username prefix or postfix that is used to indetify a service account from a standard user account. The default option is 'svc'.  Determining whether an account is a service account is useful in order to be able to include or exclude service accounts from the search scope.  Note: For more information see the help information on the parameter SearchScope.   Example: All accounts with the prefix or postfix of svc (e.g. svc-MyAccount or MyAccount-svc) are identified as service accounts and can  therefore be included or exclueded from the search scope..PARAMETER ReportFilePath  Optional. This is the location where the report of inactive users will be saved to. If this parameter is not specified, the default location the  report is saved to is C:\InactiveUsers.csv.  Note: When specifying the file path, you MUST include the file name with the extension of .csv. Example: 'C:\MyReport.csv'..PARAMETER DisableUsers  Optional. If this parameter is specified, this script will disable the inactive users found based on the search scope specified.  Note: If this parameter is not specified, then by default this script WILL NOT disable any inactive users found..PARAMETER DeleteUsers  Optional. If this parameter is specified, this script will delete the inactive users found based on the search scope specified.  Note: If this parameter is not specified, then by default this script WILL NOT delete any inactive users found..INPUTS  None..OUTPUTS  Report of inactive users found. See ReportFilePath parameter for more information..NOTES  Version:1.0  Author: Luca Sturlese  Creation Date:  16.07.2016  Purpose/Change: Initial script development.EXAMPLE  Execution of script using default parameters. Default execution performs reporting of inactive AD user only, not disabling or deleting any accounts.  By default the report is saved in C:\.  .\Find-ADInactiveUsers.ps1.EXAMPLE  Reporting and disabling all user accounts, except never logged on accounts. Storing the report in C:\Reports.  .\Find-ADInactiveUsers.ps1 -SeachScope AllExceptNeverLoggedOn -ReportFilePath 'C:\Reports\DisabledUsers.csv' -DisableUsers.EXAMPLE  Find & delete all inactive users (not service accounts) that haven't logged in for the last 30 days. Include never logged on accounts in this search.  .\Find-ADInactiveUsers.ps1 -SeachScope AllExceptServiceAccounts -DaysInactive 30 -DeleteUsers.EXAMPLE  Delete all user accounts that have never been logged into. Store the report in C:\Reports.  .\Find-ADInactiveUsers.ps1 -SeachScope OnlyNeverLoggedOn -ReportFilePath 'C:\Reports\NotLoggedOnAccounts.csv' -DeleteUsers#>#---------------------------------------------------------[Script Parameters]------------------------------------------------------Param (  [Parameter(Mandatory = $false)][string][ValidateSet('All', 'OnlyInactiveUsers', 'OnlyServiceAccounts', 'OnlyNeverLoggedOn', 'AllExceptServiceAccounts', 'AllExceptNeverLoggedOn')]$SearchScope = 'All',  [Parameter(Mandatory = $false)][int]$DaysInactive = 90,  [Parameter(Mandatory = $false)][string]$ServiceAccountIdentifier = 'svc',  [Parameter(Mandatory = $false)][string]$ReportFilePath = 'C:\InactiveUsers.csv',  [Parameter(Mandatory = $false)][switch]$DisableUsers = $false,  [Parameter(Mandatory = $false)][switch]$DeleteUsers = $false)#---------------------------------------------------------[Initialisations]--------------------------------------------------------#Set Error Action to Silently Continue$ErrorActionPreference = 'SilentlyContinue'#Import Modules & Snap-insImport-Module ActiveDirectory#----------------------------------------------------------[Declarations]----------------------------------------------------------#Set Inactive Date:$InactiveDate = (Get-Date).Adddays(-($DaysInactive))#-----------------------------------------------------------[Functions]------------------------------------------------------------Function Find-Accounts {  Param ()  Begin {Write-Host "Finding inactive user accounts based on search scope specified [$SearchScope]..."  }  Process {Try {  #Set Service Account Identifier  $ServiceAccountIdentifier = '*' + $ServiceAccountIdentifier + '*'  Switch ($SearchScope) {'All' {  $global:Results = Get-ADUser -Filter { (LastLogonDate -lt $InactiveDate -or LastLogonDate -notlike "*") -and (Enabled -eq $true) } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression = {$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName}'OnlyInactiveUsers' {  $global:Results = Get-ADUser -Filter { LastLogonDate -lt $InactiveDate -and Enabled -eq $true -and SamAccountName -notlike $ServiceAccountIdentifier } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression = {$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName}'OnlyServiceAccounts' {  $global:Results = Get-ADUser -Filter { LastLogonDate -lt $InactiveDate -and Enabled -eq $true -and SamAccountName -like $ServiceAccountIdentifier } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression = {$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName}'OnlyNeverLoggedOn' {  $global:Results = Get-ADUser -Filter { LastLogonDate -notlike "*" -and Enabled -eq $true } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression = {$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName}'AllExceptServiceAccounts' {  $global:Results = Get-ADUser -Filter { LastLogonDate -lt $InactiveDate -and Enabled -eq $true -and SamAccountName -notlike $ServiceAccountIdentifier -or LastLogonDate -notlike "*" } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression = {$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName}'AllExceptNeverLoggedOn' {  $global:Results = Get-ADUser -Filter { LastLogonDate -lt $InactiveDate -and Enabled -eq $true } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression = {$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName}Default {  Write-Host -BackgroundColor Red "Error: An unknown error occcurred. Can't determine search scope. Exiting."  Break}  }}Catch {  Write-Host -BackgroundColor Red "Error: $($_.Exception)"  Break}End {  If ($?) {Write-Host 'Completed Successfully.'Write-Host ' '  }}  }}Function Create-Report {  Param ()  Begin {Write-Host "Creating report of inactive users in specified path [$ReportFilePath]..."  }  Process {Try {  #Check file path to ensure correct  If ($ReportFilePath -notlike '*.csv') {$ReportFilePath = Join-Path -Path $ReportFilePath -ChildPath '\InactiveUsers.csv'  }  # Create CSV report  $global:Results | Export-Csv $ReportFilePath -NoTypeInformation}Catch {  Write-Host -BackgroundColor Red "Error: $($_.Exception)"  Break}  }  End {If ($?) {  Write-Host 'Completed Successfully.'  Write-Host ' '}  }}Function Disable-Accounts {  Param ()  Begin {Write-Host 'Disabling inactive users...'  }  Process {Try {  ForEach ($Item in $global:Results){Disable-ADAccount -Identity $Item.DistinguishedNameWrite-Host "$($Item.Username) - Disabled"  }}Catch {  Write-Host -BackgroundColor Red "Error: $($_.Exception)"  Break}  }  End {If ($?) {  Write-Host 'Completed Successfully.'  Write-Host ' '}  }}Function Delete-Accounts {  Param ()  Begin {Write-Host 'Deleting inactive users...'  }  Process {Try {  ForEach ($Item in $global:Results){Remove-ADUser -Identity $Item.DistinguishedName -Confirm:$falseWrite-Host "$($Item.Username) - Deleted"  }}Catch {  Write-Host -BackgroundColor Red "Error: $($_.Exception)"  Break}  }  End {If ($?) {  Write-Host 'Completed Successfully.'  Write-Host ' '}  }}#-----------------------------------------------------------[Execution]------------------------------------------------------------Find-AccountsCreate-ReportIf ($DisableUsers) {  Disable-Accounts}If ($DeleteUsers) {  Delete-Accounts}

There are several more example scripts available here.

Windows flaw allows PowerShell attacks

Windows security is a moving target, and you have to be constantly monitoring the latest vulnerabilities to see if your laptop or servers are secure. Kaspersky Lab’s recent announcement that Microsoft just patched a critical vulnerability in the Windows GDI in the latest round of updates was exploited by a group of malicious hackers to successfully execute malicious code is troubling.

The remote code execution flaw starts in how the Windows GDI handled objects in memory (CVE-2016-3393), and the issue has been addressed in critical bulletin (MS16-120). The vulnerability affected all supported versions of Windows operating system, Microsoft Office 2007 and Office 2010, Skype for Business 2016, Silverlight, .Net Framework, Microsoft Lync 2013, and Microsoft Lync 2010.

Now your responsibility is to make sure all your systems are successfully updated, because this isn’t a vulnerability found in a lab. This vulnerability was find in the wild, so it is a known attack vector. If a hacker can trick a user into visiting a malicious website and clicking on a link to malicious content, the PowerShell script could attack an un-patched system. The same attack could also be started with a traditional malicious email attachment or a simple file download.

While your organization may have different patching requirements than mine, all IT departments should prioritize patching critical updates and this is a critical update.

Announcing .NET Core 1.0

The .NET Core is a cross-platform, open source, and modular .NET platform for creating modern web apps, micro-services, libraries, and console applications using the Microsoft .NET framework. This new release includes the .NET Core runtime, libraries, and tools which includes the ASP.NET Core libraries. Microsoft is also releasing Visual Studio and Visual Studio Code extensions that will enable developers to create .NET Core projects. You can visit https://dot.net/core to get started today.

High Availability Networks

High Availability refers to the system uptime, usually measured as a percentage of system uptime over a period of time. An example might be a server, and if it is up all the time, with absolutely no downtime in a period of one year, it is considered 100% available. As you might imagine, it is nearly impossible to maintain 100% availability for modern systems. You have a fairly complex network that might block users access to your server, or the server might need Windows updates that require a reboot, etc.

As a technology professional, your success in achieving 100% uptime is often outside of your control, but something you must manage. Usually this is managed through setting user expectations. You shouldn’t promise your users 100% uptime, but you should strive for as much uptime as possible. The commonly accepted percentage of maximum uptime that is deemed reasonable is 99.999%, which means your server will be unavailable less than 6 minutes over a one year period of time, or about 25 seconds per month. This is possible, but only if you manage this metric as closely as possible. You must manage the server uptime very closely, scheduling updates and reboots, and refusing to accept that a reboot will fix all known issues.

High Availability Measurements

Availability %	Downtime per year	Downtime per month
90%	36.5 days	72 hours
95%	18.25 days	36 hours
97%	10.96 days	21.6 hours
98%	7.30 days	14.4 hours
99%	3.65 days	7.20 hours
99.5%	1.83 days	3.60 hours
99.8%	17.52 hours	86.23 minutes
99.9%	8.76 hours	43.8 minutes
99.95%	4.38 hours	21.56 minutes
99.99%	52.56 minutes	4.38 minutes
99.995%	26.28 minutes	2.16 minutes
99.999%	5.26 minutes	25.9 seconds
99.9999%	31.5 seconds	2.59 seconds
99.99999%	3.15 seconds	262.97 milliseconds
99.999999%	315.569 milliseconds	26.297 milliseconds
99.9999999%	31.5569 milliseconds	2.6297 milliseconds

Expectations

Looking at the chart above, what is your expected availability? As a database administrator or network administrator, you have to manage user expectations and meet those expectations by measuring server availability and working to meet user expectations.

If you are seeing your server availability is less than optimal, and you want to improve that metric, you have to start measuring server downtime. Start looking at ways to keep your server available more than it is today. If your server is down for one hour this week, you are now at about 99.8%, even if this is the only time the server was down all year.

Start tracking the availability of your servers, because only by measuring something can you really start making it better.

Overview

Share this:

Like this:

Introduction

Summary of Capabilities

Share this:

Like this:

Share this:

Like this:

Development

Initial Release

Release History

Windows PowerShell 1.0

Windows PowerShell 2.0

Windows PowerShell 3.0

Windows PowerShell 4.0

Windows PowerShell 5.0

Windows PowerShell 5.1

PowerShell Core 6

PowerShell 7

Use of PowerShell

Resources

Share this:

Like this:

Introduction

Summary of Capabilities

Share this:

Like this:

Solution

Share this:

Like this:

Overview

Share this:

Like this:

Share this:

Like this:

Enumeration Options

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Solution

Summary

Share this:

Like this:

Share this:

Like this:

Overview

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: