Tuesday, November 15, 2022

Verifying certificate validity with OCSP

 There are couple of ways to verify if OCSP is returning the correct certificate status.

1. GUI. 

    * export certificate to a file, suggested format is base64 encoded file.

    * run: certutil -URL C:\temp\test1.cer


2. CMD: 

certutil -verify -urlfetch C:\temp\test02_04.cer

Check last lines of the output.
3. CMD. Create a folders: certificates and results and copy your certficifate to certificates folder and execute:  

certutil -downloadocsp certificates results downloadonce

then view results with:

certutil .\results\44EAE067772C9DE9AD8CC2ADADB2DBF906305C9D.ocsp


Posted by at No comments:

Monday, September 12, 2022

Registering JEA sessions

 $cmds = @{ Name = 'Restart-Service'; Parameters = @{ Name = 'Name'; ValidateSet = 'wuauserv', 'Spooler' }},@{ Name = 'Get-Service'; Parameters = @{ Name = 'Name'; ValidateSet = 'wuauserv', 'Spooler' }}


New-PSSessionConfigurationFile -SessionType Empty -ModulesToImport Microsoft.PowerShell.Management -VisibleCmdlets $cmds -Path .\GetService.pssc -RunAsVirtualAccount



Register-PSSessionConfiguration -Name GetService -Path .\GetService.pssc


Set-PSSessionConfiguration -Name GetService -ShowSecurityDescriptorUI -Force





Posted by at No comments:

Monday, June 27, 2022

send CTRL ALT DEL from command line

 (new-object -ComObject shell.application).WindowsSecurity()

Posted by at No comments:

Friday, May 27, 2022

Assiging proper permissions to service account to join to domain with Powershell

1. Service account creation:

New-ADUser -Name "svc-YLEU-domain" -Accountpassword (ConvertTo-SecureString -String `
"Passsword" -Force -AsPlainText) -Enabled $true -PasswordNeverExpires:$true `
-Path "OU=Service Accounts,OU=Users,DC=contoso,DC=local" `
-Description `
"Service Account for automatic join of new machines to domain using terraform or other automation languages" `
-UserPrincipalName "svc-YLEU-domain@contoso.local" `
-Manager "vagrant" -CannotChangePassword:$true


2.  Assign proper permissions to OU:



$guidComputerObject      = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$RawGuid = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Path = [ADSI]"LDAP://CN=Computers,DC=contoso,DC=local"
$ntaccount = New-Object System.Security.Principal.NTAccount("contoso\svc-YLEU-domain")
$IdentityReference = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"CreateChild","Allow",$RawGuid,"All",$([GUID]::Empty))
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)


$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"DeleteChild","Allow",$RawGuid,"All",$([GUID]::Empty))
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)


$ObjectType = ([guid]'4c164200-20c0-11d0-a768-00aa006e0529').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$PropagationFlags = [System.Security.AccessControl.PropagationFlags] "InheritOnly"
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ReadProperty","Allow",$ObjectType,"Descendents",$InheritedObjectType)

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"WriteProperty","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)



$ObjectType = ([guid]'f3a64788-5306-11d1-a9c5-0000f80367c1').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"Self","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$ObjectType = ([guid]'72e39547-7b18-11d1-adef-00c04fd8d5cd').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"Self","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)


$ObjectType = ([guid]'00299570-246d-11d0-a768-00aa006e0529').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ExtendedRight","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$Path.psbase.commitchanges()

#/* Check the results */

(Get-Acl "ad:\CN=Computers,DC=contoso,DC=local").Access | where-object { $_.IdentityReference -eq 'contoso\svc-YLEU-domain' }

#/* Check the returned ObjectType GUID is Computer */

#$RawGuid = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
##Get-ADObject -Filter {schemaIDGUID -eq $rawGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID | Select-Object Name,@{Name='schemaIDGUID';Expression={[guid]$_.schemaIDGUID}}
Posted by at No comments:

Sunday, February 13, 2022

Restore DB from URL

 RESTORE DATABASE kk_NO FROM URL = 'https://blobbbb.blob.core.windows.net/sqlbackup1/db/20191129/full_20191129_120001.bak'  

with
NORECOVERY 
,REPLACE 
, MAXTRANSFERSIZE = 4194304, BLOCKSIZE = 65536, BUFFERCOUNT = 2000
,STATS = 10;
 
GO
 
RESTORE DATABASE kk_NO FROM URL = 'https://blobbb.blob.core.windows.net/sqlbackup1/db/20191204/diff_20191204_91502.bak'
 
--With MOVE 'kk_SE' to 'F:\Data\kk_SE_clone.mdf',
--MOVE 'kk_log_SE' to 'h:\Log\kk_log_SE_clone.ldf',
with
RECOVERY 
,REPLACE 
, MAXTRANSFERSIZE = 4194304, BLOCKSIZE = 65536, BUFFERCOUNT = 2000
,STATS = 10;
 
GO
Posted by at No comments:

KMS setup

 function Select-Proxy ()

{
$h=hostname
$ret=""
$prx1 "10.81.10.66"
$prx2 "10.81.18.66"
$out1 = Test-NetConnection $prx1
$out2 = Test-NetConnection $prx2
$st1=($out1).PingReplyDetails.Status
$st2=($out2).PingReplyDetails.Status
$rtt1=($out1).PingReplyDetails.RoundtripTime   
$rtt2=($out2).PingReplyDetails.RoundtripTime   
 
if ($st1 -eq "Success" -and $st2 -eq "Success")
{
    #Write-Host "both Success"
    if ($rtt1 -le $rtt2)
    {
       $ret=$prx1
    }
    else
    {
       $ret=$prx2
    }
 
}
elseif ($st1 -eq "Success" -and $st2 -ne "Success")
{
    Write-Host "$prx1 is success."
    $ret=$prx1
}
elseif ($st1 -ne "Success" -and $st2 -eq "Success")
{
    Write-Host "$prx2 is success."
    $ret=$prx2
}
Write-Host "Proxy on $h : $ret"
$ret
}
 
 
[object] $objCred $null
[string] $strUser 'Administrator'
[System.Security.SecureString] $strPass ''
 
$strPass ConvertTo-SecureString -String "Welcome1" -AsPlainText -Force
$objCred New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser$strPass)
 
 
$CompIP="10.81.16.48"
$CompName="ccskms001p"
 
invoke-command -ComputerName $CompIP -Credential $objCred -ScriptBlock {Rename-Computer -NewName $($suing:CompName)}
invoke-command -ComputerName $CompIP -Credential $objCred -ScriptBlock {shutdown /r /t 0}
 
 
 
$remote_proxy=Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock ${Function:Select-Proxy}
 
Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock {C:\windows\System32\bitsadmin.exe /Util /SetIEProxy NETWORKSERVICE Manual_proxy http://$($using:remote_proxy):3128 "*.statoilfuelretail.com;10.*"}
Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock {C:\windows\System32\bitsadmin.exe /Util /SetIEProxy LOCALSYSTEM Manual_proxy http://$($using:remote_proxy):3128 "*.statoilfuelretail.com;10.*"}
                 
 
invoke-command -ComputerName $CompIP -Credential $objCred -ScriptBlock {
Install-PackageProvider -Name NuGet -Force -Proxy http://$($using:remote_proxy):3128
Install-Module PSWindowsUpdate -Force -Proxy http://$($using:remote_proxy):3128
 
}
 
Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock  {New-Item -Path C:\temp -ItemType Directory}
 
Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock {Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/poorleno1/scep_config/master/EPAMPolicy.xml' -OutFile "c:\\temp\\EPAMPolicy.xml" -Proxy "http:\\$($using:remote_proxy):3128"}
Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock {Invoke-WebRequest -Uri 'http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/crup/2017/01/scepinstall_2c54f8168cc9d05422cde174e771147d527c92ba.exe' -OutFile "c:\\temp\\scepinstall.exe" -Proxy "http:\\$($using:remote_proxy):3128"}
Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock  {
                                                            & {
                                                                $proc = Start-Process "c:\temp\scepinstall.exe" -ArgumentList "/s /q /NoSigsUpdateAtInitialExp /policy c:\temp\EPAMPolicy.xml" -PassThru
                                                                $handle $proc.Handle # cache proc.Handle http://stackoverflow.com/a/23797762/1479211
                                                                $proc.WaitForExit();
                                                            }
                                                        }
 
$adgroup="cg_s_"+$CompName+"_prod_adm"
New-ADGroup -Path "ou=Groups,dc=contoso,dc=local" -GroupScope -server dc1 -Name $adgroup
 
 
Invoke-Command -ComputerName $CompIP -Credential $objCred -ScriptBlock  {Add-Computer -DomainName statoilfuelretail.com -Credential sfr\a-sfr-jarekole -OUPath "ou=Computers,ou=OCloud,dc=statoilfuelretail,dc=com";shutdown /r /t 0}
#Wait until computer registers in DNS
 
invoke-command -ComputerName $CompName -ScriptBlock {hostname}
 
Invoke-Command -ComputerName $CompName -ScriptBlock  {Add-LocalGroupMember -Group Administrators -Member ocloud_server_adm}
Invoke-Command -ComputerName $CompName -ScriptBlock  {Add-LocalGroupMember -Group Administrators -Member $($using:adgroup)}
 
 
Invoke-Command -ComputerName $CompName -ScriptBlock  {Install-WindowsFeature -Name VolumeActivation -IncludeAllSubFeature -IncludeManagementTools}
 
Invoke-Command -ComputerName $CompName -ScriptBlock  {}
 
 
Invoke-Command -ComputerName $CompName -ScriptBlock  {Get-NetFirewallRule -DisplayName *key*| select enabled}
Invoke-Command -ComputerName $CompName -ScriptBlock  {Enable-NetFirewallRule -Name SPPSVC-In-TCP}



cscript.exe %windir%\system32\slmgr.vbs /ipk licenseKey
Cscript.exe %windir%\system32\slmgr.vbs /ato



VERIFICATION:

nslookup -q=SRV _VLMCS._TCP.contoso.local

verify statistics:

slmgr.vbs /dli
#list what product keys are installed
slmgr.vbs /dlv all

# add 6 more months to your trial version
slmgr.vbs /rearm



How to verify KMS clients (workstations):


  1. Run following command on affected machine:


(Get-WinEvent -FilterHashtable @{logname="application";id=12288} -MaxEvents 1).message


  1. Verify output:


The client has sent an activation request to the key management service machine.

Info:

0x00000000, 0x00000000, KMSSERVER:1688, 90af96d5-88ee-440c-b78f-990246b52969, 2019/12/16 12:05, 0, 1259146, 81671aaf-79d1-4eb1-b004-8cbbe173afea, 25


Red value should be all zeros and orange is value in minutes where reactivation should occur (259146 – 6 months). Green 1 means it’s licensed.

Reference:

  1. https://blogs.technet.microsoft.com/askpfeplat/2015/11/09/kms-migration-from-2008-r2-to-windows-server-2012-r2-and-kms-activation-known-issues/
  2. https://support.citrix.com/article/CTX219672
Posted by at No comments:
Subscribe to: Posts (Atom)