Windows Services not starting (Event ID 7000/7009)

In case you have confronted the situation where some Windows Services are not starting after a computer restart (usually after your system installed some updates) this is probably because of an Event ID 7000/7009. This means that the Service received a timeout after trying to contact the Service Control Manager (SCM) for 30 seconds (the default value). The solution is to increase the default service timeout period:

Click the Start button, then click Run, type regedit, and click OK.

  1. In the Registry Editor, click the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
  2. In the details pane, locate the ServicesPipeTimeout entry, right-click that entry and then select Modify.Note: If the ServicesPipeTimeout entry does not exist, you must create it by selecting New on the Edit menu, followed by the DWORD Value, then typing ServicesPipeTimeout, and clicking Enter.
  3. Click Decimal, enter the new timeout value in milliseconds (60000 means 1 minute), and then click OK.
  4. Restart the computer.

Preventing Pass-the-Hash

Working with different clients I’ve seen a lot of ignorance and neglect when it comes to PtH. Here are the control mechanisms that should be implemented to protect cached credentials and avoid Pass-the-Hash attacks:

1. Apply UAC restrictions to local accounts on network logons

This can be configured with group policy settings and it controls whether local accounts can be used for remote administration via network logon. As an alternative you can configure “Deny access to this computer from the network” group policy setting.

2. Disable WDigest Authentication

When WDigest authentication is enabled, Lsass.exe retains a copy of the user’s plain-text password in memory. Previous to Windows Server 2012 R2 this setting is enabled. To disable WDigest authentication you can use group policy or you can manually configure the following registry:

"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential"

Read More »

IIS permissions and authentication mechanisms

Application Pool Identity – An application pool identity allows you to run an application pool under a unique account without having to create and manage domain or local accounts. The name of the application pool account corresponds to the name of the application pool (eg. IIS APPPOOL\DefaultAppPool). This will be the account that IIS will use to access the application folder.

By default the Application Pool Identity is a member of IIS_IUSRS group and Users Group.

When configuring the permissions for an application folder it is recommended to disable inheritance of permissions so that accounts and groups (eg. Users, TrustedInstaller) are not automatically given permissions on that folder.

1) Anonymous

When you enable Anonymous authentication, IIS does not use any other authentication schemes unless NTFS permissions deny access to a resource.

By default IIS will use the Application Pool Identity to access the application folder, but you can also use a custom windows account that must be given NTFS permissions to the application folder.

2) Basic

Requires the creation of individual Windows accounts for each user. It is insecure unless using SSL/TLS, which impacts performance.

3) Digest

When a client attempts to access a resource requiring Digest authentication, IIS send a challenge to the client to create a digest and send it to the server. The client concatenates the password with data known to both the server and the client. The client then applies a digest algorithm (specified by the server) to the combined data. The client sends the resulting digest to the server as the response to the challenge. The server uses the same process as the client to create a digest using a copy of the client’s password it obtains from Active Directory, where the password is stored using reversible encryption.

One of the downsides of Digest Auth is that it requires storing of passwords in cleartext using reversible encryption for all domain accounts in Active Directory that will use this type of authentication.

Digest authentication is only a slight improvement over Basic authentication. In the absence of SSL/TLS, an attacker could record communication between the client and server. Using this information, the attacker can then use that information to replay the transaction.

4) Windows authentication

Integrated Windows authentication can use either NTLM or Kerberos authentication.

If Internet Explorer recognizes the Negotiate header, it will choose it because it is listed first. When using Negotiate, the browser will return information for both NTLM and Kerberos. At the server, IIS will use Kerberos if both the client (browser) and server (IIS) are members of the same domain or trusted domains. Otherwise, the server will default to using NTLM.

If Internet Explorer does not understand Negotiate, it will use NTLM.

NTLM

NTLM is a Windows integrated authentication protocol that leverages the interactive use of a login box that requires the end user to input their network credentials manually. Those credentials would include the users Username, password and domain name if logging into an organizations domain. Because it is windows integrated NTLM also supports SSO. When using NTLM it is not required to have direct access to the domain controller.

8562.image_20A76D5DRead More »

Fix unbootable windows system

First you will need a DVD with the windows OS. After you boot from the DVD access the “Repair your computer” link. After the open the Command Prompt:

Untitled1.png

After you open the Command Prompt enter the following commands:

diskpart 
list disk 
select disk 0
list partition 
select partition 1
active

NOTE: The selected partition must be the partition on which the OS is installed. In order to mark a partition as “active” the disk must be MBR, so in case you have GPT you must first convert it to MBR(use Aomei Partition Assistant).

Read More »

BGP

1. BGP Protocol

  • RFC 4271
  • classless
  • path vector – uses attributes to identify the best path (very slow)
  • supports VLSM and Summarization
  • it’s an application(layer 7) that uses TCP port 179
  • uses AS numbers as boundaries
    • Public AS (1-64511) –  Only public autonomous system numbers should be sent to eBGP neighbors on the Internet
    • Private AS (64512-65535)
//use this command to  to remove private AS numbers from the AS-Path attribute; is available only for eBGP neighbors.
neighbor {ip-address | peer-group-name} remove-private-as [all
[replace-as]]

2. BGP Messages

After the TCP connection is established the following messages are exchanged:

Read More »