User:Lycheelok/sandbox

AD Run adprep /forestprep Schema Admins, Enterprise Admins, and Domain Admins Run adprep /domainprep Domain Admins Run adprep /domainprep /gpprep Domain Admins

The 5 FSMO roles are:   (FIZZ-mo) Flexible Single Master Operation (FSMO) Schema Master – one per forest. Domain Naming Master – one per forest. Relative ID (RID) Master – one per domain. Primary Domain Controller (PDC) Emulator – one per domain. Infrastructure Master – one per domain.

Schema Master FSMO Role The schema master FSMO role holder is the DC responsible for performing updates to the directory schema (that is, the schema naming context or

LDAP://cn=schema,cn=configuration,dc= ). This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is

replicated from the schema master to all other DCs in the directory. There is only one schema master per directory.

Domain Naming Master FSMO Role The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory (that is, the Partitions

\Configuration naming context or LDAP://CN=Partitions, CN=Configuration, DC= ). This DC is the only one that can add or remove a domain from the directory. It

can also add or remove cross references to domains in external directories.

RID Master FSMO Role The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an

object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same

for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a

threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's

unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory. PDC Emulator FSMO Role The PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos

authentication protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service

uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be

configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows domain, the PDC emulator role holder retains the following functions: •Password changes performed by other DCs in the domain are replicated preferentially

to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is

reported to the user.

Account lockout is processed on the PDC emulator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all

upgraded to Windows 2000. The PDC emulator still performs the other functions as described in a Windows 2000 environment.

The following information describes the changes that occur during the upgrade process: Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes

(such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain. Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests.

Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active Directory to locate

network resources. They do not require the Windows NT Browser service.

Infrastructure FSMO Role When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security

principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in

a cross-domain object reference.

NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global

Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog

server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that

effect will be logged on that DC's event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain

controller holds the infrastructure master role.

When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-domain object references when the referenced object is moved, renamed, or

deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master

role. For more information, see 6.1.5.5 Infrastructure FSMO Role at http://msdn.microsoft.com/en-us/library/cc223753.aspx

For full administration functions, follow the steps below to seize the operations master role for Active Directory: ? Seize FSMO roles and Global Catalog Server (Remark: Use “transfer” FSMO role instead of “Seize” during DR Drill or in case BTSADP01 is still functional in Step #5” ? To seize the FSMO roles by using the Ntdsutil utility, follow these steps: 1. Log on to BTSADP01DR with the enterprise administrator account. eg: ROOT\UCMFF01 or ROOT\UCMFF02 2. Click “Start”, click “Run”, type “ntdsutil” in the Open box, and then click “OK”. 3. Type “roles”, and then press ENTER. 4. Type “connections”, and then press ENTER. 5. Type “connect to server BTSADP01DR", and then presses ENTER. CNCBI BTS DR Recovery Procedure and result V2.3 {08Nov2018}.docx Page 13 of 245 6. At the server connections prompt, type “q”, and then press ENTER. 7. Type “seize domain naming master” (Note: Only this role when ROOT domain is unreachable). 8. Click “YES” to confirm. 9. Type “seize infrastructure master”. 10. Click “YES” to confirm. 11. Type “seize PDC”. 12. Click “YES” to confirm. 13. Type “seize RID master”. 14. Click “YES” to confirm. 15. Type “seize schema master” (Note: Only this role when ROOT domain is unreachable). 16. Click “YES” to confirm. Global Catalog Server 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available. 3. Open the Servers folder, and then click BTSADP01 DR. 4. In the domain controller's folder, double-click NTDS Settings. 5. On the Action menu, click Properties. 6. On the General tab, view the Global Catalog check box to see if it is selected.

repadmin /syncall

dcdiag /v

DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.

Ensure that the source DNS server is functioning properly by using the Dcdiag.exe and Dnslint.exe tools:

Verify that the core DNS configuration requirements exist on the source server by running the following dcdiag command:  dcdiag /test:dns /s:

Migrating from AD 2008R2 to 2016 is mostly painless. Things you should consider prior the upgrade: 1. DES and LMv2 are not supported on 2012R2 and later. 2. Operating Systems like Windows XP, Server 2003 and 2008 (not SP2) are not supported. 3. If the Domain/Forest was upgraded to 2008R2 from earlier versions, you should migrate from FRS to DFSR the SYSVOL replication.

DC Promote You can promote the DC using the PowerShell console. The PowerShell cmdlets are named: Install-ADDSForest Install-ADDSDomain Install-ADDSDomainController These cmdlets replace Dcpromo.exe. 2008 Install AD DS role. (Note: This step only installs the necessary executable files and templates for later use. It does not actually promote the computer.) Advanced Tools -> AD DS Tools -> Click on Dcpromo.exe (right) Select Existing forest -> Add a domain controller to an existing domain Type in the domain name Supply the domain logon user name and password

$comps= Get-ADComputer -Filter "Name -like 'SZDCU*'" -SearchBase "OU=Computer Quarantine,OU=HKG,DC=hkg,DC=ho,DC=cncb2"| Select-Object -Property Name |sort -Property

name | Select -ExpandProperty Name Foreach($comp in $comps){get-adcomputer $comp |Move-ADObject -TargetPath "OU=SZDC,OU=Workstations,OU=HKG,DC=hkg,DC=ho,DC=cncb2" -Verbose }

--

PS / SCCM

Remove SMB1

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart

Replace / create local admin with new passord

$Password = ConvertTo-SecureString "P@ssw0rd1234" –AsPlainText –Force

New-LocalUser "tempadmin1" -Password $Password -FullName "tempadmin1"

Add-LocalGroupMember -Group "Administrators" -Member "tempadmin1"

Remove telnet client

Remove-WindowsFeature Telnet-Client

Unlock / enable local admin

$Password = ConvertTo-SecureString "P@ssw0rd1234" –AsPlainText –Force

Enable-LocalUser "sysadmin"

Set-LocalUser -Password $Password

Get IP

SCCM – IP Addresses

A dirty little secret of Microsoft, and why you don’t see IP address columns in the SCCM console, is that MS stores all the IP addresses of a machine into a single row, into an array. So, when viewed, you’ll see 1-6 (or more) IP addresses all crammed together. Not great.

Here are some common methods for dealing with IP addresses. I normally just run the queries directly on the SQL DB, but you can also use SCCM Reporting and SCCM Queries under Monitoring.

SCCM REPORT TO LIST IP ADDRESSES – LITE VERSION

select distinct

A.Name0,c.IPAddress0,

D.IP_Subnets0

from v_R_System A

inner join v_FullCollectionMembership B on A.ResourceID=B.ResourceID

Inner join v_GS_NETWORK_ADAPTER_CONFIGUR C ON A.ResourceID=C.ResourceID

Inner Join v_RA_System_IPSubnets D ON A.ResourceID=D.ResourceID

where CollectionID=@COLLID and C.IPEnabled0='1'

group by A.Name0,c.IPAddress0 ,D.IP_Subnets0

order by A.Name0,c.IPAddress0 ,D.IP_Subnets0

SCCM REPORT TO LIST IP ADDRESSES – FULL VERSION

SELECT distinct

CS.name0 as 'Server Name',

OS.Caption0 as 'OS',

CU.Manufacturer0 as 'Manufacturer',

CU.Model0 as 'Model',

RAM.TotalPhysicalMemory0/1024 as [RAM (MB)],

processor.Name0 as 'Processor',

BIOS.ReleaseDate0 as 'BIOS Manufacture Date',

OS.InstallDate0 as 'OS Install Date',

IP.IP_Addresses0 AS 'IP Address'

from

v_R_System CS

FULL join v_GS_PC_BIOS BIOS on BIOS.ResourceID = CS.ResourceID

FULL join v_GS_OPERATING_SYSTEM OS on OS.ResourceID = CS.ResourceID

FULL join V_GS_X86_PC_MEMORY RAM on RAM.ResourceID = CS.ResourceID

FULL JOIN v_GS_PROCESSOR Processor on Processor.ResourceID=CS.ResourceID

FULL join v_GS_SYSTEM_ENCLOSURE SE on SE.ResourceID = CS.ResourceID

FULL join v_GS_COMPUTER_SYSTEM CU on CU.ResourceID = CS.ResourceID

join v_RA_System_IPAddresses IP on IP.ResourceID = CS.ResourceID

WHERE CS.Operating_System_Name_and0 LIKE '%nt%server%'

AND IP.IP_Addresses0 NOT LIKE '192.168%'

AND IP.IP_Addresses0 NOT LIKE '172.10%'

AND IP.IP_Addresses0 NOT LIKE '%:%'

AND IP.dhcpenabled0 = 0

group by

CS.Name0,

OS.Caption0,

CU.Manufacturer0,

CU.Model0,

RAM.TotalPhysicalMemory0,

BIOS.ReleaseDate0,

OS.InstallDate0,

Processor.Name0,

BIOS.ReleaseDate0,

IP.IP_Addresses0

Order by CS.Name0

IP ADDRESSES SINGLE COLUMN

Select Distinct

SD.Name0,

IP.IpAddress0

From v_Gs_System SD

Join v_Gs_Network_Adapter_Configur IP

On SD.ResourceId = IP.ResourceId

Where IP.DefaultIPGateway0 Is Not NULL

And IP.IPAddress0 Is Not NULL

And IP.IPAddress0 <> '0.0.0.0'

Order By SD.Name0

DISTINCT ADDRESSES, multiple rows

SELECT v_RA_System_ResourceNames.Resource_Names0 AS [Resource name],

v_RA_System_IPAddresses.IP_Addresses0 AS [IP Address]

FROM v_RA_System_MACAddresses INNER JOIN

v_RA_System_ResourceNames ON v_RA_System_MACAddresses.ResourceID = v_RA_System_ResourceNames.ResourceID INNER JOIN

v_RA_System_IPAddresses ON v_RA_System_MACAddresses.ResourceID = v_RA_System_IPAddresses.ResourceID

SINGLE IP ADDRESS

SELECT DNSHostName0 AS [NetBIOS Name],

CASE WHEN IPAddress0 like '%,%' THEN left(IPAddress0,CHARINDEX(',',IPAddress0)-1)

ELSE IPAddress0 END AS [IP Address]

FROM v_GS_NETWORK_ADAPTER_CONFIGUR

WHERE ([dbo].[v_GS_NETWORK_ADAPTER_CONFIGUR].IPAddress0 not like 'fe%')

and ([dbo].[v_GS_NETWORK_ADAPTER_CONFIGUR].IPAddress0 IS NOT NULL)

and ([dbo].[v_GS_NETWORK_ADAPTER_CONFIGUR].IPAddress0 not like '169.254.%')

and ([dbo].[v_GS_NETWORK_ADAPTER_CONFIGUR].DefaultIPGateway0 IS NOT NULL)

and ([dbo].[v_GS_NETWORK_ADAPTER_CONFIGUR].IPEnabled0 = '1')

SCCM QUERY RETURN IPs TO ONE COLUMN

select Name, IPAddresses,

LastLogonUserDomain,

LastLogonUserName,

ResourceType,

NetbiosName,

ClientType

from sms_r_system

where Client = 1 and SMS_R_System.Name = SMS_R_System.Name

Get Window built

Windows Server 2019 NT 10.0

Windows Server 2016 NT 10.0

Windows Server 2012 R2 NT 6.3

Windows Server 2012 NT 6.2

Windows Server 2008 R2 6.1

Windows Server 2008 NT 6.0

Windows Server 2003 R2 NT 5.2

Windows Server 2003 NT 5.2

Windows 2000 NT 5.0

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Server 6.0%" or SMS_R_System.OperatingSystemNameandVersion like "%Server 6.1%"

Ports

TCP and UDP Port 88   –Kerberos authentication

TCP and UDP Port 135   –domain controllers-to-domain controller and client to domain controller operations.

TCP Port 139 and UDP 138 –File Replication Service between domain controllers.

UDP Port 389     –LDAP to handle normal queries from client computers to the domain controllers.

TCP and UDP Port 445   –File Replication Service

TCP and UDP Port 464   –Kerberos Password Change

TCP Port 3268 and 3269   –Global Catalog from client to domain controller.

TCP and UDP Port 53   –DNS from client to domain controller and domain controller to domain controller.

TCP Port 5722     –DFSR/RPC – Sysvol Replication between Domain Controllers.

UDP Port 123    –Network Time Protocol

Either or possibly both of the following port ranges too:

TCP Port Range 1025-5000 –If your network has any Server 2003 R2 or older domain controllers. This is the default dynamic range for RPC connections.

TCP Port Range 49152-65535 –If your network has any Server 2008 or newer domain controllers. This is the new dynamic port range for RPC connections.

reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" /s

reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" /s

reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" /s

reg query "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /s

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0

reg add "HKEY_LOCAL_MACHINE\System\Currentcontrolset\Control\Securityproviders\Wdigest" /v UseLogonCredential /t REG_DWORD /d 0

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" /v NoNameReleaseOnDemand /t REG_DWORD /d 1

reg add "HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Mrxsmb10" /v Start /t REG_DWORD /d 4

net user sysadmin "UHz2'p6,H'H62c"

net user nessusadmin "gN#1X5.l1cK92c"

misc

LAPS

Get-AdmPwdPassword 朇omputerName WIN81-X64

Reset-AdmPwdPassword 朇omputerName WIN81-X64

Total number of user accounts in AD

PS> (Get-ADUser -filter *).count

Total number of user accounts in an OU

PS> (Get-ADUser -filter * -searchbase "OU=Vancouver, OU=MyCompany, DC=Domain, DC=Local").count

Replace the SearchBase with your own OU path.

Total number of enabled/disabled accounts in AD

PS> (Get-AdUser -filter * |Where {$_.enabled -eq "True"}).count

PS> (Get-ADUser -filter * |Where {$_.enabled -ne "False"}).count

Total number of user accounts in a Group

PS> (Get-ADGroupMember -Identity "Group Name").count

Check TS settings

gwmi -Namespace root\cimv2\terminalservices -Class WIn32_TSGeneralSetting

CPUs / Cores

wmic cpu get Name,SocketDesignation,NumberOfCores,NumberOfLogicalProcessors

--

Hardening

Batch:

@copy WinX

xcopy /E c:\temp\WinX C:\Users\Administrator\AppData\Local\Microsoft\Windows\WinX

xcopy /E c:\temp\WinX C:\Users\Default\AppData\Local\Microsoft\Windows\WinX

@echo Applying Windows Security Template

secedit /configure /db %computername%.sdb /cfg Hardening.inf /log %computername%.log /verbose

@echo 1.2.2.4.Other Registry Settings (Windows 2012)

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems" /f /v Optional /t REG_MULTI_SZ /d ""

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\parameters" /f /v RestrictNullSessAccess /t REG_DWORD /d 1

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\parameters" /f /v NullSessionPipes /t REG_MULTI_SZ /d ""

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\parameters" /f /v NullSessionShares /t REG_MULTI_SZ /d ""

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v DisableIPSourceRouting /t REG_DWORD /d 2

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v EnableDeadGWDetect /t REG_DWORD /d 0

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v EnableICMPRedirect /t REG_DWORD /d 0

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v EnableSecurityFilters /t REG_DWORD /d 1

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v KeepAliveTime /t REG_DWORD /d 300000

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v PerformRouterDiscovery /t REG_DWORD /d 0

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v SynAttackProtect /t REG_DWORD /d 2

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v TcpMaxConnectResponseRetransmissions /t REG_DWORD /d 2

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v TcpMaxConnectRetransmissions /t REG_DWORD /d 3

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v TcpMaxDataRetransmissions /t REG_DWORD /d 3

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v TCPMaxPortsExhausted /t REG_DWORD /d 5

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\parameters" /f /v EnablePMTUDiscovery /t REG_DWORD /d 0

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\parameters" /f /v NoNameReleaseOnDemand /t REG_DWORD /d 1

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v NoDriveTypeAutoRun /t REG_DWORD /d 255

@echo 1.2.2.6.Specific Registry Keys Settings for 2012 Servers

REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /f /v SubmitControl /t REG_DWORD /d 1

REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /f /v EnableSecuritySignature /t REG_DWORD /d 1

REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /f /v RequireSecuritySignature /t REG_DWORD /d 0

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v MinEncryptionLevel /t REG_DWORD /d 3

@echo 1.3.1.Remote Access Services

@echo Setting RDP port to 7002

REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v PortNumber /t REG_DWORD /d 7002

@echo 1.3.2.External Storage and Removable Devices Restrictions

xCopy Machine %systemroot%\system32\GroupPolicy\Machine /Y /I /H /E

@echo CD and DVD

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f56308-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Read /t REG_DWORD /d 0

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f56308-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Write /t REG_DWORD /d 1

@echo Floppy Drives

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f56311-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Read /t REG_DWORD /d 1

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f56311-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Write /t REG_DWORD /d 1

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f56311-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Execute /t REG_DWORD /d 1

@echo Removable Disks

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f5630d-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Read /t REG_DWORD /d 0

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f5630d-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Write /t REG_DWORD /d 1

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f5630d-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Execute /t REG_DWORD /d 1

@echo Tape Drives

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f5630b-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Read /t REG_DWORD /d 0

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\53f5630b-b6bf-11d0-94f2-00a0c91efb8b" /f /v Deny_Write /t REG_DWORD /d 0

@echo WPD Drives

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\6AC27878-A6FA-4155-BA85-F98F491D4F33" /f /v Deny_Read /t REG_DWORD /d 0

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\6AC27878-A6FA-4155-BA85-F98F491D4F33" /f /v Deny_Write /t REG_DWORD /d 0

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE" /f /v Deny_Read /t REG_DWORD /d 0

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE" /f /v Deny_Write /t REG_DWORD /d 0

@echo All Removable Storage

REG ADD "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices" /f /v AllowRemoteDASD  /t REG_DWORD /d 0

@echo Auto Play

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v DontSetAutoplayCheckbox /t REG_DWORD /d 1

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v NoDriveTypeAutoRun /t REG_DWORD /d 255

REG ADD "HKLM\Software\Policies\Microsoft\Windows\Explorer" /f /v NoAutoplayfornonVolume  /t REG_DWORD /d 1

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v NoAutorun /t REG_DWORD /d 1

@echo Screen Saver

REG ADD "HKCU\Control Panel\Desktop" /f /v ScreenSaveActive /t REG_SZ /d 1

REG ADD "HKCU\Control Panel\Desktop" /f /v ScreenSaveTimeOut /t REG_SZ /d 900

REG ADD "HKCU\Control Panel\Desktop" /f /v ScreenSaverIsSecure /t REG_SZ /d 1

gpupdate /force

@echo Hardening completed, please review CMD windows for error and manual reboot server

@echo Please manual rename built-in administrator ID

Pause

hardening.inf

[Unicode]

Unicode=yes

[Version]

signature="$CHICAGO$"

Revision=1

[System Access]

MinimumPasswordAge = 14

MaximumPasswordAge = 90

MinimumPasswordLength = 8

PasswordComplexity = 1

PasswordHistorySize = 6

LockoutBadCount = 3

ResetLockoutCount = 480

LockoutDuration = -1

ForceLogoffWhenHourExpire = 1

LSAAnonymousNameLookup = 0

EnableGuestAccount = 0

[System Log]

MaximumLogSize = 512000

AuditLogRetentionPeriod = 0

RestrictGuestAccess = 1

[Security Log]

MaximumLogSize = 512000

AuditLogRetentionPeriod = 0

RestrictGuestAccess = 1

[Application Log]

MaximumLogSize = 512000

AuditLogRetentionPeriod = 0

RestrictGuestAccess = 1

[Event Audit]

AuditSystemEvents = 3

AuditLogonEvents = 2

AuditObjectAccess = 0

AuditPrivilegeUse = 3

AuditPolicyChange = 3

AuditAccountManage = 3

AuditProcessTracking = 2

AuditDSAccess = 3

AuditAccountLogon = 3

[Registry Values]

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,1

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"0"

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"0"

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"1"

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"Access warning!!!"

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,This computer system"," its network and data contained therein is the property of the China CITIC Bank International Limited. Access to this computer and network is restricted to persons and programs authorized by the Group only. Access by others is prohibited and unauthorized"," and is wrongful under law. Do not proceed if you are not authorized. Any unauthorized access will be prosecuted to the fullest extent of the law.

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,0

MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection=4,1

MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0

MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0

MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,1

MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0

MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0

MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0

MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0

MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1

MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,1

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912

MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1

MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1

MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1

MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1

MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion

MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1

MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0

MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1

MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1

MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0

MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1

MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0

MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,90

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,0

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1

[Privilege Rights]

SeInteractiveLogonRight = *S-1-5-32-555,*S-1-5-32-544

SeRemoteInteractiveLogonRight = *S-1-5-32-555,*S-1-5-32-544

SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544

SeCreateGlobalPrivilege = *S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544

SeCreatePermanentPrivilege =

SeDenyBatchLogonRight = *S-1-5-32-546

SeDenyRemoteInteractiveLogonRight = *S-1-5-32-546

SeRemoteShutdownPrivilege = *S-1-5-32-544

SeIncreaseWorkingSetPrivilege = *S-1-5-32-545

SeSecurityPrivilege = *S-1-5-32-544

SeSystemEnvironmentPrivilege = *S-1-5-32-544

SeSystemProfilePrivilege = *S-1-5-32-544

[Service General Setting]

"AppMgmt",4,""

"Browser",4,""

"Dhcp",4,""

"SharedAccess",4,""

"PolicyAgent",4,""

"MMCSS",4,""

"NetTcpPortSharing",4,""

"WPDBusEnum",4,""

"Power",4,""

"RasAuto",4,""

"RasMan",4,""

"RemoteAccess",4,""

"SSDPSRV",4,""

"TapiSrv",4,""

"upnphost",4,""

Batch examples:

net stop MCAFEEAPACHESRV

net stop MCAFEETOMCATSRV590

timeout /T 60

net start MCAFEETOMCATSRV590

timeout /T 10

net start MCAFEEAPACHESRV

shutdown -r -f -t 01

--

Ex


 * 1) Run the script for add delegate
 * 2) Grant Full access & Auto mapping  Add-MailboxPermission -Identity "PatrickSP_Chan@cncbinternational.com" -user "LydiaMYTso" -AccessRights FullAccess -InheritanceType All -AutoMapping: $true

GPO WMI

Namespace: root\CIMv2 (all)

Any Windows Desktop OS

select * from Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3")

Windows 7

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1"

Any 32-bit Windows Desktop

select * from Win32_OperatingSystem WHERE ProductType = "1" AND NOT OSArchitecture = "64-bit"

Any Windows Server but not DC

select * from Win32_OperatingSystem where (ProductType = "3")

Laptop / mobile PC

Select * from Win32_Battery where BatteryStatus <> 0

Windows Server 2003

select * from Win32_OperatingSystem WHERE Version like "5.2%" AND ProductType="3"

Windows Server 2008R2 but not DC

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="3"

Windows Server 2012R2 but not DC

select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="3"

Windows Server 2016 but not DC

select * from Win32_OperatingSystem WHERE Version like "10.0%" AND ProductType="3"

2016 hardening c:\temp\hardening\batch C:\Temp\Hardening\LGPO\LGPO.exe /g C:\Temp\Hardening\Win2K16

@echo Applying Registry Key

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\parameters" /f /v NodeType /t REG_DWORD /d 2 REG ADD "HKLM\Software\Policies\Microsoft\Windows\System" /f /v EnableFontProviders /t REG_DWORD /d 0 REG ADD "HKLM\SYSTEM\CurrentControlSet\ServicesTCPIP6\parameters" /f /v DisabledComponents /t REG_DWORD /d 255 REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v PortNumber /t REG_DWORD /d 7002

netsh advfirewall set allprofiles state off

Checking out C:\Temp\Hardening\LGPO\LGPO.exe C:\Temp\Hardening\Win2K16 is an exported GPO folder ({BECA2C5C-5F1B-4E44-B019-5071C7FFF41A})

SCCM agent ccmsetup.exe /mp:SCCMWMGTP1.ckwb01.citickawahbank.com SMSSITECODE=CCC FSP=SCCMWMGTP1.ckwb01.citickawahbank.com ccmsetup.exe /mp:scommgtu1.uatckwb01.uatroot.ckwb SMSSITECODE=DVH FSP=scommgtu1.uatckwb01.uatroot.ckwb ccmsetup.exe /mp:sccmwmgtp1.ckwb01.citickawahbank.com SMSSITECODE=CCC SMSMP=sccmwmgtp1.ckwb01.citickawahbank.com ccmsetup.exe /mp:scommgtu1.uatckwb01.uatroot.ckwb SMSSITECODE=DVH SMSMP=scommgtu1.uatckwb01.uatroot.ckwb

SCOM msiexec.exe /i MOMAgent.msi USE_SETTINGS_FROM_AD=1 MANAGEMENT_GROUP="CKWB01 Site" MANAGEMENT_SERVER_DNS=scommgtp1.ckwb01.citickawahbank.com ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 AcceptEndUserLicenseAgreement=1 /qn msiexec.exe /i KB4024942-amd64-Agent.msp /qn

msiexec.exe /i MOMAgent_x86.msi USE_SETTINGS_FROM_AD=1 MANAGEMENT_GROUP="CKWB01 Site" MANAGEMENT_SERVER_DNS=scommgtp1.ckwb01.citickawahbank.com ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 AcceptEndUserLicenseAgreement=1 /qn msiexec.exe /i KB4024942-i386-Agent_x86.msp /qn

msiexec.exe /i MOMAgent.msi USE_SETTINGS_FROM_AD=1 MANAGEMENT_GROUP="DVH" MANAGEMENT_SERVER_DNS=scommgtu1.uatckwb01.uatroot.ckwb ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 AcceptEndUserLicenseAgreement=1 /qn msiexec.exe /i KB4024942-amd64-Agent.msp /qn

msiexec.exe /i MOMAgent_x86.msi USE_SETTINGS_FROM_AD=1 MANAGEMENT_GROUP="DVH" MANAGEMENT_SERVER_DNS=scommgtu1.uatckwb01.uatroot.ckwb ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 AcceptEndUserLicenseAgreement=1 /qn msiexec.exe /i KB4024942-i386-Agent_x86.msp /qn

Shutdown Tool @echo off

set hour=%time:~0,2% set min=%time:~3,2%

if %hour% equ 21 ( if %min% GEQ 25 ( if %min% LEQ 35 ( start "" ShutdownTool.exe /d:"Due to daily desktop security patrol activities and energy saving purpose, your computer is going to be Restarted in 30 minutes. Such robotic Restart can't be stopped. Please save your unfinished work and take some rest. Have a nice day! " /t:1800 /m:0 /e:0 /r /c /f  ) ) )

exit

Password_Expiration.vbs Option Explicit

On Error Resume Next

Dim objShell Set objShell = WScript.CreateObject("Wscript.Shell")

If isInDomain("ckwb01.citickawahbank.com") Then WScript.Quit Else objshell.Run "cmd /c Password_Expiration_check.vbs", 0, True WScript.Quit End If

Function isInDomain(ByVal strDomain) On Error Resume Next isInDomain = False

Dim objSysInfo

Set objSysInfo = CreateObject("ADSystemInfo")

If objSysInfo.DomainShortName = strDomain Then isInDomain = True End If

Set objSysInfo = Nothing End Function

Password_Expiration_check.vbs '========================================    ' First, get the domain policy. '========================================    Dim oDomain Dim oUser Dim maxPwdAge Dim numDays Dim warningDays

warningDays = 7 Set LoginInfo = CreateObject("ADSystemInfo") Set objUser = GetObject("LDAP://" & LoginInfo.UserName & "") strDomainDN = UCase(LoginInfo.DomainDNSName) strUserDN = LoginInfo.UserName

Set oDomain = GetObject("LDAP://" & strDomainDN) Set maxPwdAge = oDomain.Get("maxPwdAge")

'========================================    ' Calculate the number of days that are ' held in this value. '========================================    numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _                     maxPwdAge.LowPart) / CCur(-864000000000) 'WScript.Echo "Maximum Password Age: " & numDays '========================================    ' Determine the last time that the user ' changed his or her password. '========================================    Set oUser = GetObject("LDAP://" & strUserDN)

'========================================    ' Add the number of days to the last time ' the password was set. '========================================    whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged) fromDate = Date daysLeft = DateDiff("d",fromDate,whenPasswordExpires) 'WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged

if (daysLeft < warningDays) and (daysLeft > -1) then Msgbox "Your password will expire in " & daysLeft & " day(s)" & " at " & whenPasswordExpires & chr(13) & chr(13) & "You will not be able to access to the systems by then, press CTRL+ALT+DEL and then click 'Change a password'", 4096, "PASSWORD EXPIRATION WARNING!" End if

'========================================    ' Clean up. '========================================    Set oUser = Nothing Set maxPwdAge = Nothing Set oDomain = Nothing

Enable RDP @echo off sc config TermService start= auto sc start TermService exit /B %EXIT_CODE%