To slightly modify something that Edwin Starr sang in the 1970 hit “War“
WINS!
What is it good for?
Absolutely NOTHING!
In most environments, the WINS service is no longer necessary as the Netbios protocol is no longer needed for name lookups (now handled by DNS).
Netbios can (and should) be disabled on all endpoints (servers and workstations). Windows OS Hub has a great article on how to do that. But that still might leave the WINS service running on servers in the environment.
To detect the state of the WINS service on all Domain Controllers, I created the PowerShell script below. It gets a list of all DCs, then determines if the WINS service is installed or not, then gets the state of the WINS service.
$Servers = @(Get-ADDomainController -filter *).name
Foreach ($Server in $Servers)
{
$WINSService = Get-Service -ComputerName $Server -Name WINS -ErrorAction SilentlyContinue
if ($WINSService)
{
Write-Host "$Server,installed,$($WINSService.status)"
}
else
{
Write-Host "$Server,not installed,"
}
}
This script needs to be run as a user with the ability to query services on Domain Controllers.
It will write its output is CSV format similar to what is below:
SERVER1,installed,running
SERVER2,installed,stopped
SERVER3,not installed,
This should help identify Domain Controllers that are still running WINs or that have the service installed, but stopped.
Have you ever been looking through Active Directory and notice something strange in one of the fields? Maybe the Organization or Description field has a weird string of letters, numbers, and characters. You think, “Huh, that kind of looks like a password.”
Ding! Ding! Ding!
Yes, it happens. Either through lack of understanding or just laziness, sometimes passwords get put into the plain text fields in AD. This is dangerous because those fields are readable by everyone on the domain.
So how do you know if any of these fields are being used to store passwords? I managed to cobble together a PowerShell script that can help. (more…)
Some time ago, I posted a PowerShell script to detect changes in external NS records for domains. I’ve made some modifications to the script to reduce false positives. Additionally, the script now emails the “before” and “after” results of the NSLookup command for easy comparison.
Updated script is below: (more…)
I was recently reviewing the Advanced Security Audit settings available for Windows 2008 and above and decided to create a spreadsheet with all of the details. While Microsoft does have all of the details on their website, the details are spread across multiple pages. Having it all in one document made it easier to research each setting, compare the defaults to existing settings, and make recommendations for changes. The spreadsheet can be downloaded off of Google Drive below:
https://drive.google.com/file/d/0B7uH-SwTZjFQNTJVbHNnNFBhV3c/edit?usp=sharing
The spreadsheet contains two worksheets. The first gives the default for each setting and the volume of logs generated with each setting.
The second worksheet lists every Event ID generated by each setting and the message associated with each Event ID.
Hopefully this will be useful to others.
So, you have a PC on your network that you think might be infected with some malware. What do you do? Well, you could always PSExec into the computer and run a series of commands. But why not automate that process and store the results?
That was my motivation for writing this IR-Script. It is like a first response tool for investigating a possibly infected PC. You run the tool, gather a bunch of information, and store it for review. The script gathers the following information from a PC: (more…)
If you read the computer security news feeds, you’ve probably heard about the recent Java 7 and IE 6-9 exploits. The problem is that these exploits are discovered before there are any patches or reasonable workarounds for them. Fortunately, there is something that can be done to provide some additional protection that doesn’t involve an anti-virus company. Earlier this year, Microsoft released the Enhanced Mitigation Experience Toolkit (or EMET) version 3. The goal of EMET is to make exploitation of Windows applications difficult or impossible using the common attack techniques we see today. It’s not a silver bullet and won’t protect against every type of attack. But it does add additional layers of protection to your system by enforcing DEP, ASLR, Heap Spray Protection and more. (more…)

I was installing BeEF (The Browser Exploitation Framework) on Windows 7 and ran into a couple of problems. I eventually got all of them fixed, so I thought I would write up a proper installation guide for future reference. (more…)