So where, oh where is “AGPM.ADM”?

Advanced Group Policy Management logoDespite several Microsoft Advanced Group Policy Management pages saying

You can centrally configure optional logging and tracing for Advanced Group Policy Management (AGPM) using Administrative templates.

they don’t tell you where to find the Group Policy AGPM.ADM or AGPM.ADMX files.

After much searching, and time wasted; I can tell you that if you install the AGPM client, you will have a copy of AGPM.ADMX dropped into your local %windir%\PolicyDefinitions directory.

Configure Logging and Tracing
Ask the Directory Services Team – AGPM Production GPOs (under the hood)
Active Directory Infrastructure Self-Study Training Kit: Stanek & Associates Training Solutions

Passing The Hash Protection, RunAsPPL, and breaking Windows 10

Windows_10_Logo_svgIn order to improve our desktop security, I tested the “Run As Protected Process Light” functionally for LSA included in Windows 8.1.

Current attacker tools, such as WCE, gsecdump, and Mimikatz, retrieve credentials from LSASS’s memory via injecting themselves into the process or simply reading a process’s memory. Windows 8.1 introduces a new security feature that allows the user to mark LSASS as a protected process. Protected processes enforce greater access control and limit the available interactions non-protected processes can have with a protected process. For example, process injection becomes much harder because only code signed by Microsoft can execute inside of a protected process. Also, protected processes disallow any non-protected process from reading its memory (even if the user is running as an administrator or system). This breaks current attacker tools.
National Security Agency: Reducing the Effectiveness of Pass-The-Hash

“This breaks current attacker tools.”

It also broke our  Windows 10 desktops.  Even though I enabled Lsass.exe auditing to see if we had any programs which were going to cause us issues, Microsoft’s sspisrv.dll was not flagged.

Enable RunAsPPL on Windows 10, Reboot Windows 10, Watch Windows 10 go into Recovery Mode.

Thanks Microsoft.

New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks
Configuring Additional LSA Protection
Security Support Provider Interface Architecture

Karma, when it’s instant, is a joy to behold.

Victoria Police C.I.R.T. van - photo courtesy home tonight, I was behind a Police CIRT van.

They pull over, then start following me.  I’m thinking to myself, “Ahhh, I’m going to pulled over for a traffic stop”.

So the Police are behind me at the next set of traffic lights.  the lights change green.  I start to move off.  Taxi on the cross-road RUNS the RED light to do a left turn so he’s in front of me.

The Police put their Flashing Lights on, overtake me at a rate of knots, and pull the Taxi driver over.

Karma is wonderful.

Samba–like a dog returning …

Samba logoSamba, every time I’ve said

“Not going to write about Samba”,

like a dog returning to it’s … food …, I return to issues with Samba.

To recap, I written about the following Samba issues
Samba file copy performance
Samba causing Windows account lockouts
Samba file deletion issues
Samba & clear text passwords

Today’s post?  Samba & SMB Signing.

SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.”

So from a security perspective, SMB Signing is a good thing.

So I enabled it.

And the calls rolled in from our band of test users.  “We can’t connect to our network drives.”.  Yes, Samba was involved.


In one case, a Samba based server, which went end of support in 2006, and in the words of the customer “It just works.  We’ve never needed to touch it.”.  Was one of the servers which the customer couldn’t connect to.

3 months later, I’m going to have another crack at enabling SMB Signing.  This time we’ll enable for everyone, and exclude individual PCs on an exception basis.

We’ll cover most of our corporate network & get most of the SMB Signing security benefits from this approach.

The Basics of SMB Signing (covering both SMB1 and SMB2)

Network drives were dropping out

grouppolicy_thumb.jpgNetwork drives were dropping out.  We were also seeing 15+ minutes slow logon times at some remote sites.

We’d mostly see the slow logon times with Windows 7.  We’d see the “network drives dropping out” issue with Windows 8.

Looking at OfflineFiles event log we saw several 1004 events logged.  Looking at the details of the event, we’d see details like:
Path \\Noddyland\CorpData$ transitioned to slow link with latency = 140 and bandwidth = 202123

Why was it happening?  The following table might help:

Operating system Slow bandwidth limit Slow latency threshold
Windows XP 64Kbps n/a
Windows Vista <nil> (opt-in policy) n/a
Windows 7 64Kbps 80ms
Windows 8 64Kbps 35ms

From the event above “transitioned to slow link with latency = 140 and bandwidth = 202123“, you can see we had plenty of bandwidth, but our network latency was too high at 140ms.  Which triggered the network share (\\Noddyland\CorpData$) to go Offline.

We fixed the issue by setting Latency=200 for \\Noddyland\CorpData$, in Group Policy Computer Configuration\Administrative Templates\Network\Offline Files\Configure slow-link mode.

“Configure slow-link mode” policy on Vista for Offline Files
Configuring New Offline Files Features for Windows 7 Computers Step-by-Step Guide
Slow-Link with Windows 7 and DFS Namespaces
The “Configure slow-link mode” Policy is not taking effect

Opportunity Shop Volunteering Experiences

Ilovevolunteering_thumb.jpgI volunteered in an “Opportunity” Shop, or as some people know them, “Thrift” shop for 6 months.  These shops are generally run by charities and they sell donated goods.

Can I have a discount?
Something we’d get asked semi-regularly.
”We’re a charity.  The goods are already are a bargain.  And you want a discount???”

I’ve visited charity shops interstate.  Turns out to be a fairly common question.

We dumped more donations than you’d think.
No, we don’t want your soiled clothes, including under garments.  Old newspapers?  No, we don’t want those either.  And what do you think we’re going to do with your broken furniture?  Have the “broken furniture fairy” magically fix it?
Electrical goods.  Some shops don’t take them, but we did.  If you’re donating your old computer, wipe the hard drive first.

Finished looking at that item of clothing?
Why yes, DO drop it on the floor.  We’ve got nothing better to do than re-hanger clothes.

The staff and volunteers get first look at the new stuff.
Yes, this is true.  Aside from the altruism of volunteering your time to a charity, one of the paybacks is good cheap stuff.  I picked up a pair of new Doc Martens, worth $120 new, for $50.

Saturday Link Roundup

Programming Suckscodewithoutlimitsshameitsnoteventswithoutlimits_thumb.jpg
”There will always be darkness
I spent a few years growing up with a closet in my bedroom. The closet had an odd design. It looked normal at first, then you walked in to do closet things, and discovered that the wall on your right gave way to an alcove, making for a handy little shelf. Then you looked up, and the wall at the back of the alcove gave way again, into a crawlspace of utter nothingness, where no light could fall and which you immediately identified as the daytime retreat for every ravenous monster you kept at bay with flashlights and stuffed animals each night.
This is what it is to learn programming. You get to know your useful tools, then you look around, and there are some handy new tools nearby and those tools show you the bottomless horror that was always right next to your bed.”

Internet Explorer (IE) version detection in JavaScript
Minification-safe JavaScript detection of version of Internet Explorer (IE) browser up to version 10 inclusive.

Falsehoods programmers believe about time
”I have repeatedly been confounded to discover just how many mistakes in both test and application code stem from misunderstandings or misconceptions about time. By this I mean both the interesting way in which computers handle time, and the fundamental gotchas inherent in how we humans have constructed our calendar – daylight savings being just the tip of the iceberg.”

Getting a list of printers published in an Active Directory domain

So I need to get a list of print servers and printers in the domain.

Using Powershell.

Looking around the interwebs, I found a PowerShell commandline here which formed the basis of this commandline:
Get-ADObject -LDAPFilter "(objectCategory=printQueue)" -Properties cn, drivername, location, printername, portname, servername | select portname, cn, drivername, location, printername, servername | Format-Table -Property * -AutoSize | Out-String -Width 4096 | Out-File C:\wisefaq\printerlist.txt

Which outputs to a text file, like this:
portname cn drivername location printername servername
-------- -- ---------- -------- ----------- ----------
{} PRT001-LZR960-2 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-2
{} PRT001-LZR960-1 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-1
{} PRT001-LZR960-3 Dataproducts LZR 960 PCL US/UT/Boort/99 Anytown St LZR960-3
{} PRT001-LZR960-4 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-4
{} PRT001-LZR960-5 Dataproducts LZR 960 PCL US/UT/Boort/99 Anytown St LZR960-5

So why did I use Out-File instead of Export-CSV?
Export-CSV is refusing to output the {ip.addresses}. I don’t know why, and I’ve wasted an hour trying to work around the issue.

PowerShell Quick Tip: Creating wide tables with PowerShell

Searching for Specific Printers in a Domain (Attributes for the printQueue Object)

Print-Queue class

PowerShell print server inventory script (looks very useful, but you need admin access to each of the printers)