Security identifiers (Windows 10) - Windows security Nov. 8, 2021, 10:04 a.m.

A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.

windows security

Well-known SIDs Nov. 8, 2021, 10:03 a.m.

Well-known security identifiers (SIDs) identify generic groups and generic users. There are universal well-known SIDs, which are meaningful on all secure systems using this security model, and well-known SIDs that are meaningful only on Windows systems.

windows security

User Rights Assignment (Windows 10) - Windows security Nov. 8, 2021, 10:02 a.m.

Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects.

windows security

Managing Access Control with Desired State Configuration Sept. 15, 2021, 11:13 a.m.

Over the summer, the PowerShell Access Control module got some DSC resources to help manage security descriptors for for some of the supported object types. The module includes three resources: cAccessControlEntry, cSecurityDescriptorSddl, and cSecurityDescriptor.

windows powershell security dsc

Windows Installer reconfigured all applications - Avoid querying Win32_product Jan. 12, 2021, 9:50 a.m.

Win32_product class is not query optimized. Queries such as select * from Win32_Product where (name like 'Sniffer%') require WMI to use the MSI provider to enumerate all of the installed products and then parse the full list sequentially to handle the where clause. This process also initiates a consistency check of packages installed, verifying and repairing the install. With an account with only user privileges, as the user account may not have access to quite a few locations, may cause delay in application launch and an event 11708 stating an installation failure.

Win32reg_AddRemovePrograms is a much lighter and effective way to do this, which avoids the calls to do a resiliency check, especially in a locked down environment. So when using Win32reg_AddRemovePrograms we won't be calling on msiprov.dll and won't be initiating a resiliency check.


YubiKey Smart Card Deployment Guide Oct. 9, 2019, 9:01 a.m.

The YubiKey Minidriver is designed to function in a Windows Server and Client environment configured for smart card authentication. Ensuring your deployment is set up properly is a crucial element of the initial planning for the YubiKey Minidriver deployment.

windows active directory security 2fa yubikey

Updating Nano Server – Nano Server Oct. 9, 2019, 8:57 a.m.

Option 5: Download and install the cumulative update to a running Nano Server: If you have a running Nano Server VM or physical host, you can use the Windows Update WMI provider to download and install the update while the operating system is online. With this method, you don't need to download the .msu file separately from the Microsoft Update Catalog. The WMI provider will detect, download, and install all available updates at once. After installing an update from Windows Update, you can find the log files at %ProgramData%\SoftwareDistribution\Logs\WindowsUpdate.


Group Policy Preferences: Understanding “Run in Logged on User’s Security Context” Sept. 26, 2019, 4:29 p.m.

Every preference item applied is processed under the local SYSTEM account. This applies to preference items created under both the Computer and User Configuration nodes. When you select  “Run in Logged on User’s Security Context”, the security context is changed from SYSTEM to the current logged-in User. This is a huge distinction when you are creating preferences for Files, Shortcuts, or Drive Mappings.

windows group policy

Active Directory - How to Enable LDAPS Using Self-Signed Certificates Sept. 18, 2019, 3 p.m.

To enable LDAP over SSL (LDAPS) all you need to do is "install" an SSL certificate on the Active Directory server. Most enterprises will opt to purchase an SSL certificate from a 3rd Party like Verisign. In my case, I created my own certificate using OpenSSL. Here are the steps I used to secure my Active Directory server using a self signed certificate.

windows security ldap certificates

Building an Enterprise Root Certification Authority in Small and Medium Businesses Sept. 18, 2019, 2:46 p.m.

This step-by-step guide will help you set up a public key certification authority (CA) in a network with servers running Microsoft Windows Server 2003 operating systems.

windows security windows server 2003 certificates

sp_whoisactive SQL Server Monitoring Stored Procedure Sept. 11, 2019, 5:03 p.m.

sp_whoisactive is a comprehensive activity monitoring stored procedure that works for all versions of SQL Server

windows sql server

Deploying an Enterprise Root Certificate Authority Sept. 5, 2019, 12:21 p.m.

Setting up an Enterprise Root Certificate Authority isn’t a task that you’ll complete on a regular basis and something I think I’ve done twice, maybe 3 times, ever. Each time I forget what I did previously and you can guarantee I’m using a different version of Windows Server each time.

windows security

LDAP Authentication Primer Sept. 5, 2019, 11:44 a.m.

This document provides background on what LDAP authentication is, what specific LDAP authentication methods and mechanisms Active Directory and more specifically the NETID domain supports, and finally gives some guidance on which method and mechanism you should use.

windows security ldap

Are you using LDAP over SSL/TLS? Sept. 5, 2019, 11:42 a.m.

Today, many applications and devices connect to Active Directory over LDAP. Many of those are still performing insecure LDAP “simple binds” where credentials are transferred in clear text over the network. Those exposed credentials typically include the “service account” used to connect to LDAP, but also include the user credentials used during the application login.

Also note that the terms “LDAP over SSL” and “LDAP over TLS” are used interchangeably. By default, LDAP communications between client and server applications are not encrypted. This is especially problematic when an LDAP simple bind is used.

windows security ldap

Creating Custom Secure LDAP Certificates for Domain Controllers with Auto Renewal Sept. 4, 2019, 12:15 p.m.

The primary reason for enabling this functionality is to allow third-party applications that aren’t capable of performing secure binds or encrypted LDAP sessions (over TCP 389) to connect securely.

windows active directory security

Identifying Clear Text LDAP binds to your DC’s Sept. 4, 2019, 12:15 p.m.

The core of the issue is this, when an application performs a simple LDAP bind, the username and password is transmitted in clear text in the very first packet. The DC doesn't even have a chance to prevent this exposure from occurring.  If this connection is not encrypted at a lower layer such as TLS or IPSec, it may be intercepted and a bad day may soon follow.

windows active directory security ldap

Windows Time Service Tools and Settings Aug. 29, 2019, 5:20 p.m.

Tools and settings for the windows time service.


Why does each drive have its own current directory? July 16, 2019, 3:41 p.m.

Remembering the current directory for each drive has been preserved ever since DOS 1.0, although there isn’t actually such a concept as a per-drive current directory in Win32. The appearance that each drive has its own current directory is a fake-out by cmd.exe which uses environment variables to create the illusion to batch files that each drive has its own current directory.


Installing and Configuring OpenSSH on Windows Server 2019 June 11, 2019, 12:16 p.m.

Windows Server 2019 and the most recent version of Windows 10 include the ability to install both an SSH client and an SSH server. To get an SSH client onto Windows 10 or Windows Server 2019, without using 3rd party software or installing Windows Subsystem for Linux, use the PowerShell command:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~
windows ssh windows server 2019

PSWindowsUpdate June 7, 2019, 9:24 a.m.

This is a fork of Michal Gajda's PSWindowsUpdate PowerShell module. The original module can be found on the PowerShell Gallery.

windows powershell github