Wednesday, February 12, 2020

How to Use Idfix tool for AzureAD Synchronization Error Remediation.


If you're admin of a Azure AD / office 365 tenant and if you installed AD sync on your onprem servers, you may be familiar with a notification emails receiving to you with the title of "Sync errors detected on your Azure AD Connect service ".









This happened due to the synchronization errors between on premises server and office 365, usually duplicate entries and formatting errors.





in order to solve this problem Microsoft is suggesting a tool called "IdFix" , which is capable of identifying errors such as duplicates and formatting problems in Active Directory Domain Services (AD DS) domain.






IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. Below is the link to download the tool.





https://www.microsoft.com/en-us/download/details.aspx?id=36832





Ones you download the tool , here is how you use the tool.





  • Download the Zip file and extract, and run the EXE called IdFix with the appropriate permission to the forest. Microsoft recommendation for permission is below. 




Permissions: The application runs in the context of the authenticated user which means that it will query the authenticated forest and must have rights to read the directory. If you wish to apply changes to the directory the authenticated user needs write permission to the desired objects.








  • Ones open the tool , click on Query , which will be query to entire directory , looking for errors. this will take some time based on the size of your directory.








Ones you run the tool , it will be showing various type of the issue such as duplication , invalid characters , format errors, and so on.. so based on the error type you can apply a action on the action section. refer below screenshot.ones selecting the all actions , you can apply changes to the directory by clicking "Apply"









based on the error type you can reduced number sync errors and you verify the changes by re-running the tool. after fixing all the entries , you can run full sync using Azure AD connect which will resolve your AD sync problem.





Please refer below Microsoft article for detailed description about fixing different type attributes and errors using the IdFix tool.
https://docs.microsoft.com/en-us/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix





Happy Fixing :)


at No comments:
Labels: , , ,

Monday, February 10, 2020

Windows Task Scheduler | Scripting | batch


I have come across a scenario where there is batch script need to be run daily, recurring in every 15 min without any human interaction using the windows task scheduler.





a typical script , path has been pointed to correct location.

as per the requirement script has been been added to the task scheduler and all the settings been configured correctly. but in the #1 attempt script run with out any errors and complete it's intended tasks but when it's come to it's #2 attempt in next 15 min script run and finished without any errors , but it's not completing it's expected tasks on the script it self.









I tried to go through task sheduler events , but there's no any faliures , warning events or anything to isolate this issue , so tried to manuelly run this script , and noticed.





  • running the script manually , it execute it's all tasks successfully , but when it's come to run the script with task scheduler only, script start to fail in it's second attempt and continued.




After spending some time on troubleshooting , I noticed the root cause for script to fail and the resolution to fix.





The primary problem was, ones the task started it's #1 attempt and finished , it should be mentioned the object residing place to for next scheduler task occurrence to find the path. if it's not mentioned on " Start in(Optional)" the script won't execute , but task scheduler will mark as that task has been performed successfully .





so the resolution is :





  • Select the action as "Start Program".
  • Brows the path to script ( "path\file to script with in quotation mark " )
  • mention the folder path ( C:\Folder\script\ )








After configuring above setting , the script and scheduler started working the was it expected.





I hope this will save some ones Day or time :) !


at 1 comment:
Labels: , , , ,

Thursday, February 6, 2020

The Ghost Issue " port exhaustion " | How to Troubleshoot.


Have you ever faced windows server issue with blow symptoms , still there's no where to correlate each of them ?





  • Server is unable to reach but the server is online. no issue found on the network level , or firewall side.
  • Unable to Remote but everything is fine for Remote desktop.
  • All the outgoing connections are blocked inside , and incoming connection are blocked it self .
  • none of the applications hosted on the server working.
  • Issue occurred time to time but there is no any pattern to diagnose
  • unable to find any evidence from event logs.
  • Group policy update get failed
  • network shares are unable to access.




after spending so many hours on reading different vendor article , i came cross scenario called " Port Exhaustion ". this can be happened due to the all they dynamic range ports are busy or waiting for connection to established.





If you dive deep in to the events logs you 'll notice events 4227/4231 has been triggered closed to the issue started time.









and lots of events ( ID 10028) can be triggered as results of the internal application connections are getting failed due to the port exhaustion.









So now we know we have port exhaustion , but how to troubleshoot ? or what's the solution ?.
Well there no exact solution or fox for this issue , but we know one thing for sure ,





"We don't have enough ports to make connection" :)
What can we do about it ?. as per Microsoft we can temporarily increase the number of ports while comply with Internet Assigned Numbers Authority (IANA).





to view the existing port range you can use below commands set.





  • netsh int ipv4 show dynamicport tcp
  • netsh int ipv4 show dynamicport udp
  • netsh int ipv6 show dynamicport tcp
  • netsh int ipv6 show dynamicport udp




use below command to increase the port range 





netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range

Examples :

netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000
netsh int ipv6 set dynamicport tcp start=10000 num=1000
netsh int ipv6 set dynamicport udp start=10000 num=1000




For more Details , you can refer Microsoft recommendation below.
https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-tcpip-port-exhaust





So we have increased the port range but it's temporary, because we have to dig down to the root cause and identify what's causing the this port exhausting issue. so which tool can we used for that ?.





Yes , as always Windows Sysinternals tools Save our lives Everyday. :-) Nice work by Mark Russinovich





Here you can use Sysinternals process explorer to identify which application causing the problem , here's how you do it.
Download and install Sysinternals process explorer and open with elevated privileged, Here is the Link.

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer





initially you'll find something like this , but you have make it's interface view that way it can help to get better view of what's happening on the system. Here how you do it.





  • Right-click > column header, then select “Choose Columns.”
  • go to Performance Tab, then add Handle Count then View > Show Lower Pane.
  • Click select View > Lower Pane View > Handles. and then Sort the handles in order.








If you have make it correct you'll come up something like below , where blue arrow shows which application make highest number of handlers and red arrow shows type of handles and ports or sockets.





in moment where port exhausting happening this can go up to 30,000 or more.









Even you can you deep dive up to what applications made connection to which remote IP/port. by right click on the process and click properties. there are so much of information for you to deal with.













So the conclusion Is :





Use process explorer to identify the process or application see what's causing the port exhaustion, based on your scenario work with application vendor to fix the app. or you can disable the process temporarily with causing the problem.

Happy Troubleshooting :)






at No comments:
Labels: , , ,

Sunday, February 2, 2020

WSUS Nightmares


If you ever come across with wsus server console showing that client are not reported to the server over x number of days , you'll see something like below









but when you really look at the client logs it shows that everything is working fine , client are reporting to WSUS server as normal , updates are downloaded from the server , even showing on the correct client targeting groups. here some logs extracted from clients.





2020/01/23 15:17:51.1568821 9852  628   DownloadManager *FAILED* [80004001] Method failed [CAgentDownloadManager::CanRetryWithDifferentCDNForError:23980]
2020/01/23 15:17:51.1568965 9852  628   DownloadManager BITS job {0A0F1B98-4B97-4FB3-A7CD-7EB5AD8B9D3E} failed, updateId = 4FED3B54-C444-49B9-950F-301402B8B6B2.200, hr = 0x80190194. File URL = http://namnzsccm.nikkoam.com:8530/Content/43/2699F66F2A4ACCB6A04A2418C94153BCBA21FA43.cab, local path = C:\windows\SoftwareDistribution\Download\60d29cc85b6a3173213aec4fbb2cb5cb\stslist-x-none.cab, The response headers = HTTP/1.1 404 Not Found  Date: Thu, 23 Jan 2020 02:17:50 GMT  Content-Length: 1245  Content-Type: text/html  Server: Microsoft-IIS/8.5  X-Powered-By: ASP.NET    
2020/01/23 15:17:51.1570292 9852  628   DownloadManager   Progress failure bytes total = 0, bytes transferred = 0
2020/01/23 15:17:51.1570490 9852  7344  ProtocolTalker  OK to reuse existing configuration
2020/01/23 15:17:51.1570523 9852  7344  ProtocolTalker  Existing cookie is valid, just use it
2020/01/23 15:17:51.1570536 9852  7344  ProtocolTalker  PTInfo: Server requested registration
2020/01/23 15:17:51.1590469 9852  628   DownloadManager Total download size for update 4FED3B54-C444-49B9-950F-301402B8B6B2.200 (session data: (null)) set via progress to 0
2020/01/23 15:17:51.1594692 9852  628   DownloadManager *FAILED* [80244019] Error occurred while downloading update 4FED3B54-C444-49B9-950F-301402B8B6B2.200; notifying dependent calls.
2020/01/23 15:17:51.1665050 9852  7344  ProtocolTalker  *FAILED* [8024000B] Method failed [CAgentProtocolTalker::GetCurrentComputerInfo:4599]
2020/01/23 15:17:51.1665089 9852  7344  ProtocolTalker  *FAILED* [8024000B] GetCurrentComputerInfo failed, not fatal
2020/01/23 15:17:51.1665101 9852  7344  ProtocolTalker  *FAILED* [8024000B] RefreshPTState failed
2020/01/23 15:17:51.1718495 9852  7344  DownloadManager * END * Download Call Complete. Call 71 for caller UpdateOrchestrator has completed; signaling completion.




after reading lot of KB articles I realized this could be due to SID duplication in Client deployment / imaging process. (If you need to detect duplication follow below blog post).
https://ms07.de/blog/?p=277





Further reading of this subject , below steps need to be follow to fix the WSUS clients report back to the server.





  • Stops the wuauserv service
  • Deletes the AccountDomainSid registry key (if it exists)
  • Deletes the PingID registry key (if it exists)
  • Deletes the SusClientId registry key (if it exists)
  • Restarts the wuauserv service
  • Resets the Authorization Cookie




After checking few more hours on internet i come across a verified awesome script by "Manuel Gil" that can be achieved the same results.
https://gallery.technet.microsoft.com/scriptcenter/Reset-WSUS-Client-ID-90661da1





:: ================================================================================== 
:: NAME:    Reset WSUS Client ID. 
:: AUTHOR:    Manuel Gil. 
:: ================================================================================== 
 
echo off 
title Reset WSUS Client ID. 
color 17 
 
cls 
ver 
echo.Reset WSUS Client ID. 
echo. 
 
echo.    The methods inside this tool modify files and registry settings. 
echo.    While you are tested and tend to work, We not take responsibility for 
echo.    the use of this tool. 
echo. 
echo.    This tool is provided without warranty. Any damage caused is your 
echo.    own responsibility. 
echo. 
echo.    As well, batch files are almost always flagged by anti-virus, feel free 
echo.    to review the code if you're unsure. 
echo. 
 
choice /c YN /n /m "Do you want to continue with this process? (Y/N) " 
if %errorlevel% EQU 2 goto :eof 
 
echo.Canceling the Windows Update process. 
echo. 
 
taskkill /im wuauclt.exe /f 
 
echo.Stopping the Windows Update services. 
echo. 
 
net stop bits 
net stop wuauserv 
net stop appidsvc 
net stop cryptsvc 
 
echo.Checking the services status. 
echo. 
 
sc query bits | findstr /I /C:"STOPPED" 
if %errorlevel% NEQ 0 echo Failed to stop the bits service. & pause & goto :eof 
 
sc query wuauserv | findstr /I /C:"STOPPED" 
if %errorlevel% NEQ 0 echo Failed to stop the wuauserv service. & pause & goto :eof 
 
sc query appidsvc | findstr /I /C:"STOPPED" 
if %errorlevel% NEQ 0 sc query appidsvc | findstr /I /C:"OpenService FAILED 1060" 
if %errorlevel% NEQ 0 echo Failed to stop the appidsvc service. & pause & goto :eof 
 
sc query cryptsvc | findstr /I /C:"STOPPED" 
if %errorlevel% NEQ 0 echo Failed to stop the cryptsvc service. & pause & goto :eof 
 
echo.Deleting the qmgr*.dat files. 
echo. 
 
del /s /q /f "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" 
del /s /q /f "%ALLUSERSPROFILE%\Microsoft\Network\Downloader\qmgr*.dat" 
 
echo.Renaming the softare distribution folders backup copies. 
echo. 
 
rmdir /s /q "%SYSTEMROOT%\SoftwareDistribution.bak" 
ren "%SYSTEMROOT%\SoftwareDistribution" SoftwareDistribution.bak 
if exist "%SYSTEMROOT%\SoftwareDistribution" echo Failed to rename the SoftwareDistribution folder.  & pause & goto :eof 
 
rmdir /s /q "%SYSTEMROOT%\system32\Catroot2.bak" 
ren "%SYSTEMROOT%\system32\Catroot2" Catroot2.bak 
 
del /s /q /f "%SYSTEMROOT%\winsxs\pending.xml.bak" 
ren "%SYSTEMROOT%\winsxs\pending.xml" pending.xml.bak 
 
del /s /q /f "%SYSTEMROOT%\WindowsUpdate.log.bak" 
ren "%SYSTEMROOT%\WindowsUpdate.log" WindowsUpdate.log.bak 
 
echo.Reset the BITS service and the Windows Update service to the default security descriptor. 
echo. 
 
sc.exe sdset wuauserv D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD) 
sc.exe sdset bits D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD) 
sc.exe sdset cryptsvc D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD) 
sc.exe sdset trustedinstaller D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD) 
 
echo.Reregister the BITS files and the Windows Update files. 
echo. 
 
regsvr32.exe /s atl.dll 
regsvr32.exe /s urlmon.dll 
regsvr32.exe /s mshtml.dll 
regsvr32.exe /s shdocvw.dll 
regsvr32.exe /s browseui.dll 
regsvr32.exe /s jscript.dll 
regsvr32.exe /s vbscript.dll 
regsvr32.exe /s scrrun.dll 
regsvr32.exe /s msxml.dll 
regsvr32.exe /s msxml3.dll 
regsvr32.exe /s msxml6.dll 
regsvr32.exe /s actxprxy.dll 
regsvr32.exe /s softpub.dll 
regsvr32.exe /s wintrust.dll 
regsvr32.exe /s dssenh.dll 
regsvr32.exe /s rsaenh.dll 
regsvr32.exe /s gpkcsp.dll 
regsvr32.exe /s sccbase.dll 
regsvr32.exe /s slbcsp.dll 
regsvr32.exe /s cryptdlg.dll 
regsvr32.exe /s oleaut32.dll 
regsvr32.exe /s ole32.dll 
regsvr32.exe /s shell32.dll 
regsvr32.exe /s initpki.dll 
regsvr32.exe /s wuapi.dll 
regsvr32.exe /s wuaueng.dll 
regsvr32.exe /s wuaueng1.dll 
regsvr32.exe /s wucltui.dll 
regsvr32.exe /s wups.dll 
regsvr32.exe /s wups2.dll 
regsvr32.exe /s wuweb.dll 
regsvr32.exe /s qmgr.dll 
regsvr32.exe /s qmgrprxy.dll 
regsvr32.exe /s wucltux.dll 
regsvr32.exe /s muweb.dll 
regsvr32.exe /s wuwebv.dll 
 
 
echo.Deleting values in the Registry. 
echo. 
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f 
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f 
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f 
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f 
 
echo.Resetting Winsock and WinHTTP Proxy. 
echo. 
 
netsh winsock reset 
netsh winhttp reset proxy 
 
echo.Resetting the services as automatics. 
echo. 
 
sc.exe config wuauserv start= auto 
sc.exe config bits start= delayed-auto 
sc.exe config cryptsvc start= auto 
sc.exe config TrustedInstaller start= demand 
sc.exe config DcomLaunch start= auto 
 
echo.Starting the Windows Update services. 
echo. 
 
net start bits 
net start wuauserv 
net start appidsvc 
net start cryptsvc 
net start DcomLaunch 
 
echo.Forcing updates. 
echo. 
wuauclt.exe /resetauthorization /detectnow 
 
echo.The operation completed successfully. 
echo.Please reboot your computer. 
pause 
goto :eof




Executing the script, all client computers report back to the wsus server.





This Phenomenal has happened in the windows client OS deployment process , and not following the best practices for windows 10 deployment.





in shorter terms SYSPREP tool need be executed and generalize the image ,

To deploy a Windows image to different PCs, you have to first generalize the image to remove computer-specific information such as installed drivers and the computer security identifier (SID). You can either use Sysprep by itself or Sysprep with an unattend answer file to generalize your image and make it ready for deployment.

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation










at No comments:
Labels: , , , ,

Get Rid of SSL 2 & 3 & Rock with TLS 1.2 (Windows Server 2012)











SSL 2 & 3 protocols no longer will be safe to use since it can be break through the POODLE technique.





if you're using any vulnerability scanning tool you may already came across with the massage " SSL Version 2 and 3 Protocol Detection "





so in order to be safe use at least TLS 1.2 on your servers.





  1. before changing any registry values , take backup using export option in regedit.
  2. Save below registry information as a reg File "XXX.REG " and import it to registry.




Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000




After that you can disable SSL Section by Deleting Registry Keys !.





Path :





HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols










restart the Server &





A tool available to rectified this issue in automated manner.





IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016 and 2019. It also lets you reorder SSL/TLS cipher suites offered by IIS, change advanced settings, implement Best Practices with a single click, create custom templates and test your website.





Get the tool from below Link





https://www.nartac.com/Products/IISCrypto/





1 - Run the Tool





2 - Click on Best Practices(it will choose best scenarios for the server automatically )









3 - Tick Reboot and Apply









Enjoy the Vulnerability scanning again !





#SSL3 #SSL2 #TLS1 #POODLE #VULNERABLE #WINDOWSSERVER #SSL Version 2 and 3 Protocol Detection






at No comments:
Labels: , , , , , ,

SMB Signing not required


you mare came across above statement specially when vulnerability scanning. nessus scanner identified above issue by the plugin ID 57608 as below





Severity: Medium.





ID: 57608





File Name: smb_signing_disabled.nasl





Version: 1.18





Type: remote





Family: Misc.





this issue occurred when SMB traffic or server is not signed so an unauthenticated remote attacker can exploit or launch a MIM or Man -in- Middle attack against the SMB server.





the vulnerability can be fixed by enforcing SMB signing from a Group policy for Clinet and server.





GPO Location : Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options









Fore more Details read below.





https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always





https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always





Happy Fixing :)


at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)

How to complete Hack to the Box Sign Up Challange

         I think everyone knows about " hack the box " (  https://www.hackthebox.eu/). it's a cool place to learn about cybers...

  • SMB Signing not required
    you mare came across above statement specially when vulnerability scanning. nessus scanner identified above issue by the plugin ID 57608 as ...
  • WSUS Nightmares
    If you ever come across with wsus server console showing that client are not reported to the server over x number of days , you'll see s...
  • Remote Uninstall
    Yes it's true that some time remote uninstall save your life and work , :) PsExec.exe \\UNC-PATH msiexec /x /q "Path_to_MSIFile.msi...