August 31, 2014
By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network unencrypted. This could quickly lead to the compromise of credentials.
For more details follow the link below:
August 28, 2014
I would like to introduce the Restore process of User Account in Active Directory using Ldp.exe:
1. Open Ldp.exe at Your domain admin machine or at the DC itself.
2. Go to Connection - > Connect - > Named the AD server & port:389 - OK:
3.Go to Connection - > Bind ->Bind as currently logged & check Encrypt traffic after bind, do not choose Simple bind (not secured- clear text) - > OK:
4. Go to View - > Tree - > Base DN - > DC=mydomain,DC=com ->OK:
5. Expand the Root Domain tree and looking for CN=Deleted Objects,DC=mydomain,DC=com
if there is no such...
August 26, 2014
I would like to share a little taste of how Kerberos ticket look like when running klist on machine that is member of a domain:
For more information about SPN :
August 20, 2014
Three levels of DNS security
Low-level security is a standard DNS deployment without any security precautions configured. Deploy this level of DNS security only in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity. Low-level DNS security has the following characteristics:
The DNS infrastructure of the organization is fully exposed to the Internet.
Standard DNS resolution is performed by all DNS servers in the network.
All DNS servers are configured with root hints pointing to the root servers for the Internet.
All DNS servers permit...
Great article for Monitoring and Auditing for End Systems:
In the last months i was involve with couple of auditing and monitoring missions, in now days this issue's severity is critical to an Enterprise Environment whose want to view and expose full information about the occurring in their organization.
From Microsoft's homemade , We can use those tools for build and implement a auditing and monitoring review :
Windows command-line tool
Displays information about and performs functions to modify audit policy settings.
Windows command-line tool
Creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.
Windows PowerShell cmdlet
Deletes all entries from specified event logs...
August 19, 2014
Hey this is a Cumulative Security Update for Internet Explorer :
This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
for more info:
August 17, 2014
The following components are used in a typical OTP solution:
Client computer: Contains the DirectAccess components, a credential provider that is written by the OTP vendor, and a custom key storage provider (KSP).
One-time password server: Consists of two services, an OTP agent that communicates with the validation server, and a component that communicates with the certification authority (CA).
Certification authority: Provides a certificate that is trusted by the domain.
One-time password validation server: Validates the OTP.
High-level architecture of for an OTP solution
When invoked, the OTP credential provider collects a user name and OTP value from the user and presents it to the...
August 15, 2014
LSA Architecture- Windows Login Gina Flow:
1. Using msgina.dll+winlogon.exe+secure32.dll
2. RPC (LSA server Serivce) for Negotiate
3. If Use: Digest, NTLM, KERBEROS, TLS\SSL , Except NTLM every protocol using netlogon.dll
4. NTLM using samsrv.dll (Security Accounts Manager)
5. Finally every protocol get into Directory services from netlogon or from SAM.
6. If its a non-domain controllers , it direct to local registry .
7. Directory Services in the end of the Winlogn process connect with Jet database Esent.dll .
* KDC (kdcsvc.dll) which is windows sockets , using SAM/Kerberos and Directory Services.
August 9, 2014
Ticket based authentication
Microsoft proprietary protocol
Standard protocol can be used across different implementations
The server contacts the DC to validate the client’s response for the challenge (known as pass-through authentication)
The client contacts the DC to
Retrieve a ticket for the service.
Pass-through authentication is
needed for each session and
therefore the DC is contacted each
Faster! The client manages a
Tickets cache. No need to contact
the DC for additional sessions to
the same service if the ticket is still
Supports only impersonation
Supports impersonation and delegation