my personal blog about systemcenter

All posts in Uncategorized

Building new reference machine with “new “Edge and finding a google Cert

Categories: Uncategorized
Comments Off on Building new reference machine with “new “Edge and finding a google Cert

I was building a new reference image for my Windows PC

PS C:\Program Files (x86)\Microsoft\Edge\Application> $EDGE = Get-SystemDriver -ScanPath `C:\Program Files (x86)\Microsoft\Edge\Application’ -UserPEs

PS C:\Program Files (x86)\Microsoft\Edge\Application> New-CIPolicy -FilePath EDGE.xml -DriverFiles $EDGE -Level FilePUBLISHER -UserPEs

Running the file level scan for publisher to see whats “around”

    <Signer ID=”ID_SIGNER_F_71″ Name=”DigiCert SHA2 Assured ID Code Signing CA”>

      <CertRoot Type=”TBS” Value=”E767799478F64A34B3F53FF3BB9057FE1768F4AB178041B0DCC0FF1E210CBA65″ />

      <CertPublisher Value=”Google LLC” />

      <FileAttribRef RuleID=”ID_FILEATTRIB_F_21″ />


Outside of the Microsoft certificate there was a reference to a Google Certificate

    <FileAttrib ID=”ID_FILEATTRIB_F_21″ FriendlyName=”C:\Program Files (x86)\Microsoft\Edge\Application\79.0.309.71\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll FileAttribute” FileName=”widevinecdm.dll” MinimumFileVersion=”4.10.1440.18″ />

Looking at the file its cross signed with both Microsoft and Google

Will create the policy without the Google signer for now 🙂

Finding clients using insecure LDAP binds

Categories: Uncategorized
Comments Off on Finding clients using insecure LDAP binds

Microsoft announced in August 2019 that they will enforce the use of Secure LDAP binds from Marts 2020 Update

This means that applications that uses “classic” LDAP over 389 will fail after applying updates in the Marts 2020 Cycle

Take Action: Microsoft Security Advisory 
ADV190023 published to introduce LDAP channel binding and LDAP signing support. Administrators will need to test these settings in their environment after manually adjusting them on their servers.

First Call to Action was August 2019 , so if you missed this (like me) this is very late getting started to prevent possible outages pending Marts Update Cycle

Required: Security Update available on Windows Update for all supported Windows platforms that will enable LDAP channel binding and LDAP signing on Active Directory servers by default.

Second Call to Action is now , get searching in the logs

Event 2886,2889,2887,1220 from Directory Services are the ones to ensure are logged and searhable

Domain Controllers will pr default log a 2886 Every 24 hours with how many clients connected , this will see if there is a usage but not who/what

For detailed logging On your Domain Controllers enable LDAP Interface Events Logging to Level 2

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

and to Disable Logging again

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 0
With Logging set to level 2 , you will now see clients connection with insecure bind , source ip and username that authenticated with Event ID 2889

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. 

If you see 1220 a client tried to use LDAP/s but the domain controller didn’t have a certificate available

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. 

Getting Microsoft Defender to work with Google Santa enabled

Categories: Uncategorized
Comments Off on Getting Microsoft Defender to work with Google Santa enabled

Google Santa is an open source project that helps OSX Administrators secure the workstations, its whitelists binaries on either SHA256 or Certificate Level. (Download

Santa Supports local database and remote sync server for configuration, the first post will cover local database, remote sync server will be covered later

For this test we are going to whitelist the certificates used by Microsoft Defender ATP

Mixing Whitelisting and Modern Protections might be overkill but its very good for locking down high profile target

Santa’s default configuration is monitor mode so to enforce the rules we need to change the Santa configuration

Following the example config from the documentation

ClientMode is change from 1 (monitor mode) to 2 (Enforced)

And the testing here is done with local config so we need to remove the SyncBaseURL Key/String to support local modification of the allow/deny list

And we can see that the default configuration is Monitor Mode

Install the config file

And we are in lockdown mode , so any binary will be block unless it matches binary or certificate rules (or is system file)

So let’s start the Microsoft Defender ATP installer

And Santa picks up the different daemons Defender ATP will run and blocks the execution as they are not in the allow list yet , running this in monitor mode would make the install successful without errors on the first run and then looking at log files , I hit ignore for a bunch of times and then go for the log files

Santa Logs are at /var/db/santa/santa.log

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=241fde944258965f8912bfc30b55a60c821642722131e64b1d3dfce2d1913354|cert_sha256=e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=687|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Applications/Microsoft Defender

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=9a01cc98d7e1c5d3f1cde3f6b06b8d1540a0c35f80bf7026e8bf8274b05403cd|cert_sha256=09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=774|ppid=1|uid=501|user=fr-santatest|gid=20|group=staff|mode=L|path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AU AU Daemon

And we can see that there are 2 different certs being used, 1 for the main Defender ATP files and 1 for the Microsoft Update Application

santactl rule –whitelist –sha256 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303 –certificate

Added rule for SHA-256: 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303.

FR-SantaTests-Mac:~ root# santactl rule –whitelist –sha256 e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8 –certificate

Added rule for SHA-256: e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8.

We use santactl to add rules to our whitelist , and after this Microsoft Defender ATP is now fully functional with Santa running as additional protection

Edit : now with correct ATP vs APT , thanks Jan , Skype Updater Escalation Prevent through GPO

Categories: Uncategorized
Comments Off on , Skype Updater Escalation Prevent through GPO

There was published a issue with the skype installer

This can elevate normal users on a pc to system on older OS that don’t use Windows 10 Apps

On windows 10 you can install version 8 only if you set the installer to Windows 7 or 8 , when testing that the update service was not installed

On the 7.x branch the update service was added on my test pc , but wasn’t visible on the 8 branch

Its recommended to stay on the newest version and use Windows 10 Apps when possible

For the workaround (that will break automatic updates but preserve security)


Create a new Group Policy


Go to Windows Settings , Security Settings , System Settings

Select the Skype Update Service and select disabled


Verify its set to disabled


Set the gpo filter for testing


Link the gpo (testing to root acceptable)


Run a gpupdate /force or wait a bit , after that the settings is set to disabled and cant be modified

ATA 1.6 Update 1 , Auto Update gateways

Categories: Uncategorized
Comments Off on ATA 1.6 Update 1 , Auto Update gateways


Microsoft have released the first update to version 1.6 a short while ago


This is the first update that can use the new auto update of gateways


We didnt have autoupdate enabled so all gateways want a update


Enable and Save Smile


and a few seconds later the gateway agents starts to update , and 5 minutes later here all agents are updated

Very Very Smooth Smile