Finding Accounts Trusted for Delegation

As part of a security audit, I was asked to help in finding all accounts marked with "Trusted for Delegation"

What is "Trust for Delegation"

You can try reading the TechNet Article, but in short - delegation (also known as kerberos double-hop) is allowing a service to impersonate clients in order ...

more ...

Some PowerShell Snippets for Network Scanning

I recently had to improvise some network scanning using PowerShell. The security guys got somewhat excited, so I decided to upload these snippets.
I think all of them require PowerShell v2+

Checking ping for one IP address

Test-Connection $target -count 1 -quiet

Checking if a TCP port is listening

function ...
more ...

Setting Up Samba on Raspberry Pi

After setting up my rPi TorrentBox, I wanted to let my family access the downloaded files.
Since they use Windows (and I don't want to bother their systems with NFS), I wanted to install Samba on the rPi and create a read-only share (and a weak user for them ...

more ...

setspn Duplicates and Case Sensitivity

Today I found out that the command I use to find duplicate SPNs, setspn -x

is case sensitive, meaning that the following SPNs don't count as duplicates:

HOST/bla
HOST/BLA

This makes sense when using UNIX systems for TGS creation.
However, Active Directory Domain Controllers, being Windows systems ...

more ...

Backing up BitLocker to ActiveDirectory - My Additions

The Story

If you thought about deploying BitLocker in your enterprise, you probably came across the recovery issue - if you lose the encrypting smart card, corrupt the key file, forget the password or the TPM breaks down - how can you access the data?
For small organizations, manual recovery can be ...

more ...


Using Remote Desktop Client without Network Level Authentication

Whenever I use Remote Desktop to connect to an NT6+ (Windows Vista / Windows Server 2008 and later) machine, I use Network Level Authentication, meaning that authentication with the server is performed before session is created (contrary to first connecting to the server and using its GUI to enter the credentials ...

more ...

Filtering Windows Event Log using XPath

When I want to search for events in Windows Event Log, I can usually make do with searching / filtering through the Event Viewer. For instance, to see all 4624 events (successful logon), I can fill the UI filter dialog like this:

  • Event Logs: Security
  • Event IDs: 4624

But sometimes I ...

more ...

Preventing Users from Adding Computers to a Domain

Some time ago, we've come to the conclusion that the computer accounts in the domain are disorganized. After doing the tedious job of sorting existing accounts, we saw that new computer accounts are still being added to the "Computers" container, and we had no idea which computer was behind ...

more ...

Investigating Repeatedly Locked Out Users

I often get asked by some other IT guy "why does user XXXXX keep on getting locked out?"

Let me clue you in on something - users (almost) always get locked out for the same reason: They try the wrong password too many times.The reasons for THAT, however, are quite ...

more ...