UNC hardening (MS15-011, MS15-014) - you think you enabled it?

 Hi there.

Quick post about another quirk Microsoft the Internet donated to us. With MS15-014, UNC hardening was introduced. Microsoft offers a comprehensive guide about what it does and how to configure it:

https://support.microsoft.com/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328

Here you also can find the "minimum recommended settings", where the hardening value is described like this: "RequireMutualAuthentication=1, RequireIntegrity=1".

After conducting a security assesment against our client computers, a request was opened to implement UNC hardening. We also were provided with the settings to implement.

Maybe - like me - you simply copied what you were sent and pasted it into your new UNC hardening GPO. Done you are, right?

Unfortunately, this can go WRONG.  But you won't notice - GPResult shows everything fine (except a rather invisible hint, see screenshot below), registry looks ok. Only if you dig into the "NetworkProvider" eventlog, you will note Event 1006 claiming an error in the syntax of your entry.

 This is how our setting looked in GPResult:

If you take a really close look, you will notice that there's not one space after the comma, but two.

Reason being? Someone added a space character in the value, wich MUST be removed for the setting to apply successfully. When I  added UNC hardening, I did copy/paste on the values that were sent to me. They looked ok in the settings list, they looked ok in the GPO settings report, they looked ok in GPResult. What I did overlook is that what was sent to me contained a line break, and I also copied this line break:

And the network provider really does not like line breaks...

The originating reason why this was sent to us including a line break is lost in the fogs of the past. Most probably, it was itself copied from a source on the Internet where a CMS added a line break for automatic line wrapping, or it was a PDF where the same happened.

That said... 😀

Update 2023/07/26: Corrected the reason - it is not a space character, it is a line break that breaks UNC hardening. And it's not Microsofts fault, but ours 🙈

Multithreaded TCP port check

 Whopper - first post for a long time, and a short one 👶

I wrote a multithreaded TCP port check in Powershell. You ask why? Some reasons:

• multithreaded to test a lot of computers and ports in parallel - often required in domain connectivity scenarios
• fast as light - try it out!
• fully pipeline aware
• self contained, no external dependencies
• including RPC dynamic endpoints
• including SSL protocol checks and certificate details
  

Need more? Leave a comment!

It always bogged me to use Test-NetConnection (slow as hell) or even portqry.exe (needs to be scripted and output parsed) to verify a bunch of ports against a bunch of computers. So I came up with my private solution and started from scratch in Powershell. The result is impressing.

I have a builtin default set of several ports required for proper domain functionality. I ran  this check in one of our environments, consisting of 9 domains and 91 domain controllers, resulting in roughly 800 discrete port checks. Execution time? 17 Seconds... Including DNS resolution which consumes the most part of these 17 seconds.

 Check it out here: https://github.com/daabm/PowerShell/tree/master/Scripts

Happy testing!

How to retrieve DN of AD parent object in Powershell

Stumbling over https://www.akaplan.com/blog/2015/09/get-the-parent-ou-for-an-ad-object/ I thought about how to do it correct AND fast:

$U = Get-ADUser $env:username -Properties cn
$uParent =$u.DistinguishedName.Substring( ( $u.cn ).Length + 4 )

This way we can use the fast string method and we will always remove up to the correct position. Regardless of the parent object container type (OU, Container, whatever...)

Mirroring AD OU trees including GPOs - the PoSh way

Hello all.

In your AD, there might be an OU tree for production purposes. There might be a second tree for testing purposes. Now you need a third tree for evaluation purposes. That means copying all OUs from one of the existing trees and re-linking all GPOs linked to the source.

I recently had this requirement for an OU structure 6 levels deep with more than 100 linked GPOs. Hard to believe I would do this manually, so I fired up my ISE and came out with this module:

CopyGPOLink

Since the description in the gallery is somewhat crispy, here's the full help:

Windows 10 Settings App - how to hide pages for user groups

Hi Readers :-)

With Win 10 1703, the settings app can be configured to hide or allow only certain pages. This is configured with http://gpsearch.azurewebsites.net/#13576. But there's a drawback: This is a computer setting, so it will affect ALL users - even local administrators. Hey, MS - what did you think about when implementing this?

How can we configure the settings app differently for different groups of users?

The solution for this - as often - is "Group Policy Preferences" (GPP). With GPP Registry, we can write HKLM in the user part of a policy. Lets try - we create a GPP Registry to write the value we found at gpsearch:

 
And voila - it turns out that this value is not evaluated at boot time or at logon, but each time you open the settings app.

This enables us to configure the settings app based on users, although "officially" it is a computer setting :-)

Be aware that results might be unexpected if you use fast user switching. Consider the following scenario:

Admin logs on, gets unrestricted settings app. Switch user, default user logs on, gets restricted settings app. If you now switch back to Admin, he also will have restricted settings app because switching users does not trigger gpupdate. You can circumvent this if you create a scheduled task that runs "gpupdate /target:user" and triggers on Session reconnect.

Note: The IDs for the pages (about, privacy and so on) are not listed in the policy help. They can be found at https://www.windowscentral.com/how-hide-settings-pages-windows-10-creators-update#mssettings_page_name_list or at https://blogs.technet.microsoft.com/mniehaus/2017/04/13/hiding-pages-in-settings-with-windows-10-1703/

LegalNoticeCaption and LegalNoticeText - the new way...

Howdy!

Have you ever been using the following settings?

 
These are designed to present a message to the user after he presses C-A-D. This message could be some legal stuff, some helpful hints or whatever you need.

But there's a drawback: If these settings are enabled, AutoAdminLogon will not work anymore. This would prevent automated software installations by scripts, running in the context of an admin user that logs on automatically.

How can we solve this?

Updating Gallery Modules - with a module, of course!

...after I dealt with module updates last week, I finally converted the stuff to a module and published it: https://www.powershellgallery.com/packages/UpdateInstalledModule/1.0

Have fun! :-)