Finding Accounts Trusted for Delegation

As part of a security audit, I was asked to help in finding all accounts marked with "Trusted for Delegation"

What is "Trust for Delegation"

You can try reading the TechNet Article, but in short - delegation (also known as kerberos double-hop) is allowing a service to impersonate clients in order …

more ...

Some PowerShell Snippets for Network Scanning

I recently had to improvise some network scanning using PowerShell. The security guys got somewhat excited, so I decided to upload these snippets.
I think all of them require PowerShell v2+

Checking ping for one IP address

Test-Connection $target -count 1 -quiet

Checking if a TCP port is listening

function …
more ...

List all Group Policy Extensions Registered

I use this script to see all GP extensions that my computer can process:

ls 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions' | select `
    @{name='Guid';expression={[guid]$_.pschildname}}
    @{name='Name';expression={$_.GetValue('')}}
    @{name='DllName';expression={$_.GetValue('DllName')}}
    @{name='ProcessWhenNoChanges';expression={!$_.GetValue('NoGPOListChanges')}}
    @{name='IsUserPolicy';expression …
more ...

setspn Duplicates and Case Sensitivity

Today I found out that the command I use to find duplicate SPNs, setspn -x

is case sensitive, meaning that the following SPNs don't count as duplicates:

HOST/bla
HOST/BLA

This makes sense when using UNIX systems for TGS creation.
However, Active Directory Domain Controllers, being Windows systems, are …

more ...

Backing up BitLocker to ActiveDirectory - My Additions

The Story

If you thought about deploying BitLocker in your enterprise, you probably came across the recovery issue - if you lose the encrypting smart card, corrupt the key file, forget the password or the TPM breaks down - how can you access the data?
For small organizations, manual recovery can be …

more ...



Finding Superseding WSUS updates in PowerShell

Whenever I see a superseded update, I usually want to know which update supersedes it.
Finding it from the console is easy enough:

But of course, working through the UI is no fun.
After you got an update object through PowerShell, like this:

$wsus = Get-WsusServer WSUS2 -PortNumber 8530
$update = $wsus …
more ...

Adding .net 3.5 to a Windows Server 2012 template

I was approached by some colleagues building a new VM template for Windows Server 2012 who wanted some help with .NET framework 3.5.

The .NET oddity

As anyone who messed a bit with Windows Server 2012 knows, the .NET framework 3.5 is one of two features (along with …

more ...

Filtering Windows Event Log using XPath

When I want to search for events in Windows Event Log, I can usually make do with searching / filtering through the Event Viewer. For instance, to see all 4624 events (successful logon), I can fill the UI filter dialog like this:

  • Event Logs: Security
  • Event IDs: 4624

But sometimes I …

more ...