Sometimes things get deleted. Ever since Microsoft added the Active Directory Recycle Bin its a lot easier to restore those objects. No need to do an authoritative restore from backup. Continue reading “Active Directory Recycle Bin”
The following commands can be used to script the creation of legacy IPsec policies. The example here creates an IPsec policy meant to secure all IP traffic between domain controllers in separate forests in order to secure AD forest trust traffic.
This example uses PSK for authentication, but you should use certificates if possible. Continue reading “Create Legacy IPsec Policy from CLI”
Here are some best practices to follow when creating IPsec policies for Windows hosts. Most of these came from Jason Fossen. the author of the SANS 505 Windows Security course.
A simple way to execute commands and scripts on remove Windows Servers is to configure WinRM. In order to perform these tasks securely we will be configuring WinRM to use SSL to encrypt all of its traffic. This will require that each host has a valid Server Authentication certificate with a CN matching the hostname. Continue reading “Configure and Use WinRM”
Using LDAP over SSL is a good step towards security. Improve security just a little bit more by disabling SSLv2 and forcing your clients to use SSLv3
On each of your domain controllers create the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0]
Then create the following DWORD
DWORD = "Enabled" Value = 00000000
Finally, reboot the domain controller
To make this even easier you can deploy this registry key though a Group Policy Object linked to the Domain Controllers OU.
More information from Microsoft:
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll