Month: May 2017

70-533: Implementing Microsoft Azure Infrastructure Solutions – Preparing and taking the exam

Ulv Bjørnsson2 Comments

As some of you know I have a background with private cloud and as of late been moving more and more towards the hybrid cloud, to take advantage of Microsoft Azure.

I’ve been preparing for multiple exams as of late and wanted to take the 70-533 Implementing Microsoft Azure
Infrastructure Solutions due to the sheer volume of growth Microsoft is having with Azure.

So I realized, I best stay updated and formalize my knowledge.

Figured it was time to sit the 70-533 exam which covers:


Preparing

Microsoft-70-533

I took advantage of Microsoft’s focus on Azure, they provide free training and heavily discounted practice tests as well as exam vouchers.

Here are the resources I took advantage of in the time going towards the exam itself:

2017-05-24_14-44-33

 

One of the challenges with the exam is that it is quite broad and to understand the width you need hands on experience, thankfully the hands on labs from Microsoft were great.

The exam also covers Powershell as well as JSON examples, that you have to plot in the right cmdlet for – so get used to it, throw up an editor, or run through the practice test.

A strong suggestion that I urge you to follow through with it, get an Azure trial, the best way to familiarize yourself with Azure is by using it, and also to understand the basics of the ARM deployments and the Powershell scripts.

GitHub has many great repositories that let you get a full infrastructure up and running in no time, however to maximize your trial, remember to turn things off or deleting them so you can get the most out of your thirty day trial.

Some workplaces also have free trials up and running, so ask a colleague you might already have an environment dedicated for Azure testing.

 

 

 

main-qimg-d432f9144cb764cbfa02e33c28948594

Conclusion

I am happy to announce that I did pass the 70-533 exam, it was a challenge, and really happy to have passed it. These days a lot of my time is spent on researching new Azure features, looking at ways I can implement them and also quality assurance, ensuring they have a place in a customers production environment.

I would recommend the exam to anyone wanting to formalize their knowledge, but also wanting to dive deeper into Microsoft Azure. Let me know how your preparation or exam is going in the comments, and as always hit me up here or on twitter at @UlvBjornsson if you have any ideas for future articles or thoughts you’d like to share.

WannaCrypt – What is it?

Ulv Bjørnsson2 Comments

What is WannaCrypt?

  • A large Ransomware campaign that spread across the world.
  • The attack used a vulnerability that was patched in March 2017 Security Update (MS17-010, SMBv1)
  • How can I mitigate WannaCrypt?

Timeline

August 2016
The Shadow Brokers attempt to auction NSA tools

September 2016
Microsoft encourages users to stop using SMB1

March 2017
Microsoft releases Security Update to address the MS17-010 for SMB1 vulnerability

April 2017
The Shadow Brokers release the toolbox

  • Includes SMB (Eternal Blue) and the Trojan Code (Double Pulsar)
  • Microsoft releases an advisory that no new vulnerabilities are found in Shadow Brokers release

May 2017
WannaCrypt is released by unknown attacker
Which utilizes [ETERNALBLUE] with [DOUBLE PULSAR] and a ransomware payload that demands 300-600 USD in Bitcoins from its infected hosts.

What does WannaCrypt do?

Infects

It attacks through [ETERNALBLUE] if MS17-010 is not installed.
Installs the Trojan if the attack is successful [DOUBLEPULSAR]

Encrypts

Encrypts 179 file types
Shows a message that demands for payment of 300$-600$ in bitcoins to a listed wallet.

WannaCrypt.jpg

Spreads

It scans the local LAN and wider internet for port 445
Attempts to infect over SMBv1 [ETERNALBLUE] if port is open.

Payments

We find references to three different wallets these are:

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 73 transactions, total of 17460 USD
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 98 transactions, total of 26570 USD
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 82 transactions, total of 23450 USD

Which gives the attackers wallet a total of 67480 USD (14:00 GMT 16.05.17)

Curious of how to mitigate it, or want to read how to disable the SMBv1 vulnerability or patch it? Check out my previous article on mitigation.

As always, if you have suggestions on topics you want to read more about, or feedback. Leave a comment or tweet me at UlvBjornsson

WannaCrypt – What can I do to mitigate?

Ulv Bjørnsson2 Comments

Let’s try to reduce the attack vectors, I’ll walk you through the practical remedies and reduction of attack vectors you can do; now.

Turn off SMB 1

Why? Because WannaCry utilizes the exploit, and unless you are on XP or 2003, you have no use for SMB1, and will be using SMB2/SMB3.
To disable SMBv1 on the SMB server, run the following cmdlet:

Windows 8 and Windows Server 2012

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Windows 7, Windows Server 2008 R2 and Windows Vista

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

4014204_en_1.png
You can also remove it with “Server Manager” or use this snippet:

Remove-WindowsFeature FS-SMB1

If you want to check whether or not SMB 1.0 is active on your server you can run:

Get-SmbServerConfiguration

 get-smbserverconfiguration-enablesmb1protocol.png

As you can see it states that EnableSMB1Protocol is currently True we want to set this to False.

We can accomplish this by running the following snippet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force’ cmdlet, as shown below.

set-smbserverconfiguration-enablesmb1protocol-false.png
(Force is added to prevent it from pausing for confirmation, and run through.)

Let’s run this again to see if the configuration changed:

Get-SmbServerConfiguration

It is now set to false.

get-smbserverconfiguration-enablesmb1protocol-false.png

Patch your clients and servers.

WannaCrypt takes advantage of the MS17-010 vulnerability also known as the SMBv1 vulnerability, thankfully it has been patched with MS17-010. Depending on your patch regime, you should expedite and ensure that this patch goes through.

If your systems have been affected; DOUBLEPULSAR will have also been installed, so this will need to also be removed. A script is available (by COUNTERCEPT) that can remotely detect and remove the DOUBLEPULSAR backdoor.

Creating a Windows Master Control Panel shortcut .{ED7BA470-8E54-465E-825C-99712043E01C}

Ulv BjørnssonLeave a comment

The Windows Master Control Panel, also known as Windows God Mode, or the All Tasks folder is a shortcut to access a variety of control settings found in any operating system later then Windows Vista.

It is one of those stories that hits the blogosphere and spins; however the background for the registry key “ED7BA470-8E54-465E-825C-99712043E01C”  was actually just an “All Tasks“-page created by Windows developers to make it easier to find what was needed.

So if you use the search box in the “Control Panel“-window, see illustration below. It will leverage the key “ED7BA470-8E54-465E-825C-99712043E01C“.

2017-05-12_16-09-47.png

The key that it looks up you can find it under:
HKEY_CLASSES_ROOT\CLSID\{ED7BA470-8E54-465E-825C-99712043E01C}

2017-05-12_16-15-03.png

So now let’s create and give you a shortcut to the blogosphere’s godmode, or the Windows developers “All Task”-folder.

Read More »

Allow Domain User To Update Department Field in Active Directory

Ulv BjørnssonLeave a comment

In this article we’ll go through the steps to allow a domain user that is a member of a security group, to update the Department field in Active Directory

So open up Active Directory Users and Computers and create a Security Group that we will delegate control to, for this example we have created a group called “RL_Update_AD_Users_Department_Field”

pep

Now we have to also choose the container that this group can edit Users in to for this example we have a “Users”-container in our “domain“.

RoyalTS_2017-05-08_13-58-06

This opens up the Delegation of Control Wizard. Hit Next.

2017-05-08_14-11-21

Read More »

Allow Domain User To Update Manager Field in Active Directory

Ulv BjørnssonLeave a comment

In this article we’ll go through the steps to allow a domain user that is a member of a security group, to update the manager field in Active Directory.

So open up Active Directory Users and Computers and create a Security Group that we will delegate control to, for this example we have created a group called “RL_Update_AD_Users_Manager_Field”

 

Now we have to also choose the container that this group can edit Users in to for this example we have a “Users”-container in our “domain“.

RoyalTS_2017-05-08_13-58-06.png

This opens up the Delegation of Control Wizard. Hit Next.

2017-05-08_12-30-50

Read More »

Allow Domain User To Add Computer to Domain

Ulv Bjørnsson1 Comment

In this guide we’ll go through the steps to allow a domain user, to add a computer to the domain. This can be nice in scenarios where some of the preparation for a PC is done by office staff, or if there are branch offices that need to re-join after resetting a PC and so-on.

An authenticated user, has by default the right to join up to 10 computers to the domain. After exceeding this limit the user will recieve an error message.

To get around this we can delegate the right to Create Computer Objects in Active Directory. This ensures that there is no restriction on number of computer objects that the user with this delegation right can add to the domain.

The best way of achieving this is by delegating control to a “Security Group” that we create in “Active Directory”

Delegating rights to User/Group with Active Directory Users and Computers

Read More »