- DLC protocol / port driver Data Link Control protocol for connectivity to IBM Mainframe systems and printer devices non-routable non TDI able (no Server/Wksta availbable) - SAP Service Advertising Protocol SAP Agent - advertise services from W2k Server and listens for IPX-based services' advertise Novell NetWare advertises its services per 60 seconds by broadcast Service database is maintained by NetWare server e.g. Gateway Service for NetWare broadcast SAP Type 640 - Installation/Setup Boot Disketes for Windows XP downloadable from Microsoft - Q310994 - File and Print Services for other systems on W2k Srv File Services for Macintosh Print Services for Macintosh Print Services for Unix - Sharing protocol on Novell NetWare NCP = Novell Core Protocol (socket 0x451) Used by Gateway (and Client) Services for Novell - Spooler directory for print jobs Start-Settings-Printers-File-Server Properties-Advanced - Windows NT 4.0 and 2000 disk and storage terms, Disk Manager Stripe Set = Striped Volume (32 disks) = RAID-0 Volume Set = Spanned Volume (32 disks) Mirror Set = Mirrored Volume = RAID-1 Stripe Set with Parity = RAID-5 Volume (more than 3 disks) = RAID-5 Simple Volume ... can be !extended on "Spanned Volume" (only with NTFS) - Network Monitor can detect other installations on local segment of network can detect all instances of Network Monitor Driver used remotely on the segment do it by sending multicasts (perhaps no transmission through routers) need NOT promiscuous mode to operate (it is NDIS driver) - Promiscuous mode can put over 30% of processor load higher all network frames regardles of MAC are processed by OS used only by FULL version Network Monitor (from SMS) - Promiscuous Mode for network card and Network Monitor System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} \Linkage\RootDevice http://www.securityfriday.com/Topics/inspect_nic_mode.html HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nm\Parameters SubKey - ForcePmode Value - name as "MACAddressWithout-" = SZ = 1 - Account Logon Event x Logon Event Account Logon Event is only on DC when authentication occures Logon Event is on workstations when LogonUser() is called - GPO Loopback Processing application of UserConfiguration from Computer's GPO for some user regardles of his GPO - COPY in recovery console EXPANDS the file - HAL texts for Computer Q237556 ACPI Multiprocessor PC (halmacpi.dll) ACPI Uniprocessor PC (halaacpi.dll) Advanced Configuration and Power Interface (ACPI) PC (halacpi.dll) MPS Multiprocessor PC (halmps.dll) MPS Uniprocessor PC (halapic.dll) Standard PC (hal.dll) Compaq SystemPro Multiprocessor or 100% Compatible (halsp.dll) Silicon Graphics Visual Workstation (halborg.dll) (ACPI x ACPI Multiprocessor PC x ACPI Uniprocessor PC) and (Standard PC x MPS Multiprocessor PC x MPS Uniprocessor PC) the only safe changes change it in DeviceManager by Update Driver - use HAL.INF (the drivers are HAL and NTOSKRNL) Uniprocessor kernel: ntoskrnl.exe, ntkrnlpa.exe Multiprocessor kernel: ntkrnlmp.exe, ntkrpamp.exe - Administrative shares HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters AutoShareServer = 0 AutoShareWks = 0 creating in XP "administrators have full control; other users have no access" - Quota Management from remote computer map the administrative share and select properties - Microsoft Loopback Adapter add network device, Manufacturer = Microsoft - Computer password change every 30 days HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters = MaximumPasswordAge = DisablePasswordChange = RefusePasswordChange (on DC to refuse password change from Wkstas) - Computer joining domain session under admininstrative account is established with DC (tries to find DC with my computer$ account) enables/creates computer account LSA creates password LSA policy remembers domain SID and name, DNS name, DNS forest name, domain GUID Domain Admins are inserted into local admins NetLogon trusted domain cache is initialized NetLogon is started Competer object with computer$ name is created SPNs are created on the computer object %systemroot%\Debug\Netsetup.log - join log 10 computers join quota! - Command for domainjoin Netdom add /work1 /d:reskit.com /OU:OU=my-computers,DC=reskit,DC=com Netdom join /d:reskit.com /OU:OU=my-computers,DC=reskit,DC=com /reboot:120. - Service Pack w2ksp4_en.exe /X - extracts to some directory Update\update.msi - Computer account Q216393 account password change period is every 30 days account password = secure channel's password netdom reset 'machinename' /domain:'domainname' computer then must rejoin the domain (=NETDOM DELETE, NETDOM JOIN) disabling computer account doesn't reset its password (can be enabled again) - SYSPREP [UserData] ProductID=1111-DDDD-... nosidgen = zadna zmena jmena, zadne SIDy repartition = remove all partitions and create one from the whole disk autopartition=0 - do not use default partition extendoempartition = roztahnout partition na zbytek mista - Repair Installation from setup CD all new files = liquidates SP usable even for DCs removes all applications = only "Assigned" - Emergency Repair Disk need boot of SETUP loader = CD/boot disks %systemroot%\Repair contains ERD data = registry.SAV, SecDC.inf, secsetup.inf (+registry can be backed up there) A:\ contains SETUP.LOG (contains startup environment and coppied files), AUTOEXEC.NT, CONFIG.NT - Security Templates basicXX - reverts the whole security except !rights (under program installation) secureXX, hisecXX - incremental increase of security (hisecXX doesn't require previous secureXX) compatws - decreases security for Users Group and removes all Power Users setup security - the actuall security installed by setup dc security - created by DCPromo as actuall security setup (increment for "setup security") - Domain Join max 10 computers Q231335 Join Computer To Domain = Authenticated Users!!! maximum of 10 computers without ACL permission adsiedit.msi, Domain Property, ms-DS-MachineAccountQuota - ICS DHCP allocator DNS proxy when configured with other static IP than 192.168.x.x DHCP allocator is disabled when detects other DHCP server on the network, DHCP allocator disables??? - NOCOR: not true allowes UDP connections (e.g. DNS) to pass from inside out and back (not the case of TCP/IP Filters) - COR doesn't allow RPC even when 135 is mapped inside - COR - NTCONFIG.POL locally share this "%SystemRoot%\System32\Repl\Import\Scripts" as NETLOGON and place the file there HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update machine/system/current control set/control/update UpdateMode is a REG_DWORD with the data values: 0 - a policy file is not downloaded from a server and is not applied. 1 - NTconfig.pol is downloaded (if present) from the NetLogon share of the %LogonServer% and applied. 2 - the UNC path of the policy file is read from "NetworkPath" and if present, downloaded and applied. - DHCP movement copy %SystemRoot%\system32\Dhcp copy HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Configuration start the DHCP Manager and for each !Scope, select !Active Leases and click !Reconcile (Q130478) Dhcp.mdb = DHCP database in system32\dhcp Backup\Dhcpcfg - shutdown backup copy of registry database (not complete version of the .mdb) Backup\Jet\New\dhcp.mdb - backup shutdown copy of .mdb file (Q173396) to recover from crash, recover by .mdb file or generate new .mdb from registry (not complete lease info) must be reconciled. temporary leases will be generated with the possibility to renew from clients (unknown) - JET.EXE command utility for Jet databases jet.exe, jetpack.exe - WINS Server uses JET database - System Policy for NT cannot be generated from GPO must use POLEDIT.EXE - DHCP command utility DHCPCMD.EXE from support tools - .PDS and .USR PDS = profile directory structure = default NT40 prfile extension USR = default 3.5 profile extension (.MAN = mandatory profile) - Novell NetWare TCP/IP nativne na NetWare 5.0 aktualne 6.5 7.0 Linuxove jadro ale stejne prostredi 3 uzivatele serveru zdarma - NT40 Default Users Default Users are placed in PowerUsers -> compatws.inf na W2k - DFS only one DFSROOT per server - TS Licensing Server in domain always on DC in workgroup on either server temporary CALs are expired after 90 days Temporary TS CAL token is presented to the device before a user enters credentials and is granted or denied access to connect. After the user has logged into the session, the Terminal Server instructs the License Server to mark the issued temporary TS CAL token as being validated. The next time the client connects, an attempt is made to upgrade the validated temporary TS CAL token to a full TS CAL token. Expiration period is a random number of days between 52-89 days of issuance. If the expiration is within 7 days, the Terminal Server connects to the License Server and renews the TS CAL token for another 52-89 days. = solves reinstallation of client (stores issued token) - when TS CALs are out of stock, temporary TS CAL is issued and after 89 days the new free licence is issued one-time permanent transfer to another device - Microsoft Customer Services Representative (CSR) Terminal Services Licensing Customer Service Center (CSC) Microsoft Certificate Authority and Clearinghouse - four connection methods to !activate your license server and install licenses; Internet, World Wide Web(WWW), Telephone, and Fax. LICENSE000 - license for operating system (Windows 2000) LICENSE001 - TS CAL remove the key to delete CAL: HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Store\LICENSE00x on NT40 Terminal Server Edition is only Application Server mode with Remote Administration Mode only Administrator/Administrators group can connect !ACtivation Method "Telephone" will show ClearingHouse telephone number for my region TS CAL is not required for users who have Windows 2000 license (installed W2k computers) - KSETUP for domain setup usable with MIT Kerberos Server for domain... - WINS File and Printer Sharing on server must be enabled - local WINS Manager searches for the <20> suffix over network and when unsuccesfull, WINS lookup is not possible. to recreate corupted database: stop WINS, delete system32\WINS and start WINS - JET Database compact - stop the service, JETPACK !Never have temp.mdb in the directory (used by JETPACK as temp and will be deleted) ESENT or ESE do not store this on compressed drive! write-through delays = corrupt Active Directory (NTDS) File Replication service (FRS) Windows Internet Name service (WINS) DHCP Security Configuration Engine (SCE) Certificate Server Terminal Services Session folder Terminal Services Licensing service Catalog database Help and Support Services Directory Synchronization service (MSDSS) Remote Storage (RSS) Phone Book service Single Instance Store (SIS) Groveler Windows NT Backup/Restore Exchange store Microsoft Exchange folder (SRS and DXA) Key Management service (KMS) Instant Messaging Content Indexing - Security Database and logs and Group Policy %SystemRoot%\Security\Database\Secedit.sdb - can be compared with actual system settings %SystemRoot%\Security\logs %SystemRoot%\system32\GroupPolicy\USER|MACHINE\registry.pol - NTFRS moving work directory: HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\NtFrs\Parameters, Working Directory database is recreated safely from nothing - Kerberos event logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters LogLevel = 1 - Off-Line files can be used only without TS installed CSC - Client Side Cache - EFS bez privatniho klice (exportovan s delete) nejde desifrovat import certifikatu prepisuje stejny certifikat bez reci (i privat) pokazde, kdyz EFS nema certifikat s privatnim klicem (napr. jen bez), vytvori si novy pokud ho potrebuje desifrovani vice souboru zasifrovanych ruznym klicem jede pokud mam vic certifikatu s privaty (i imported) cache EFS certifikatu vydrzi i pres log-off (nutny restart) pri vice pouzitelnych certifikatech se pouziva pouze ten posledni vygenerovany by EFS EFS presifrovava soubory novymi certifikaty i pokud jsou pristupne jejich puvodni certifikaty (i pri NACITANI) EFS nastavuje natvrdo nove Recovery Agenty podle politiky i v pripade pouze NACITANI souboru cipher /K creates new certificate and !archives the old for accessibility Only the Microsoft Base, Enhanced and Strong Cryptographic Service providers may be used with the encrypting file system. Smartcards and strong private key protection places on key containers are also not supported with EFS. = no GUI for PIN from LSASS, remote server without smart-card RSA encryption of a symmetric key that was generated outside of the card is required for EFS. = not widely supported by smart-cards Win2k clears key cache with reboot, XP with logoff efsinfo.exe pri pristupu na vzdalenou stanici je tamni LSA schopno nahrat lokalni profil uzivatele a desifrovat soubor (i pro recovery agenta) pri obnove souboru nekde jinde a existenci puvodniho Encrypting File System certifikatu dojde k presifrovani novym!!! pri pristupu na vzdalenou stanici dochazi take k presifrovani podle beznych pravidel ntbackup vzdy backupuje zasifrovane soubory i v pripade, ze mam klic certificate cache is user sensitive (different users doesn't have access when the right user accesses) = OK for remote access LSA loads profile, but not its registry XP SP1 resolves problem when password changed and user logged on with older cached credentials HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS EfsConfiguration = 1 turns OFF the EFS - Password Reset losses Web page credentials File share credentials EFS-encrypted files Certificates with private keys (SIGNED/ENCRYPTed e-mail) only when forced by admin - not by user Password Recovery Disk can revert password change to the previous state User can revert his password change through Control Panel/User Accounts - Kerberos from AS ticket TGT for TGS accounts are for computers, domain trust accounts (interrealm), krbtgt for AS a TGS logon = ticket for machine - Delegation computer = Account is trusted for delegation - computer can obtain FORWARDABLE !TGT and request TGS from KDC user = Account is sensitive and cannot be delegated - KDC issues only NON-FORWARDABLE TGTs - IE5 supports Kerberos (older NOT) - Windows 98 compatibility NTLMv1 (DSClient contains NTLMv2) MS-CHAPv1 (not MS-CHAPv2, TLS) no L2TP no IPSec - EFS private key is stored only privately and never leaves the store (even with CA) hash of the LASTLY used certificate is in the registry (SetUserFileEncryptionKey()) for reuse when the hash is not present, the new certificate is enumerated from store (or generated one new) cache size of user keys = 100 (so new keys will purge older ones) - IPSec exemptions netsh ipsec dynamic set config ipsecexempt value={ 0 | 1 | 2 | 3} 0 - all allowed 1 - block 88 and RSVP 2 - block even broadcast/multicast 3 - default W2k3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC NoDefaultExempt = REG_DWORD = 0..3 - Kerberos v4 = without preauthentication v5 = Windows 2000 with preauthentication PKINIT = certificate authentication DC must be available for logon (not for Admins and can be disabled in CCS\C\Lsa\Kerberos\IgnoreGCFailures) UniversalGroups are so not enumerated and user could be allowed acces to denied resources SMB connection by \\IP.IP.IP.IP doesn't use Kerberos = requires SPN and IP change too frequently - NTLMv2 in NT4.0 SP4+ in DSClient for Windows 98 (from W2kAdvSrv) signs PAC = Privilege Attribute Certificate (NTLMv1 doesn't) PAC is signed with !krbtgt master key = prevents malitious server side services from modification (LSA validates this passthrough with KDC) PAC is either signed with services master key uses either RC4-HMAC (128) or stupid DES (56) for compatibility levels 0-3 are for clients = responses levels 4-5 are for servers - NT4 passwords hashed with RC4-HMAC (used with Kerberos encryption too) - SYSKEY even for AD, must be present on all DCs. prevents DC remote restart - Network Monitor (netmon.exe) parsers from RKit: wins.dll Wlbs_hb.dll, Wlbs_rc.dll - Load balancing intallation - place .dll to Parser subdirectory (older ones require modifications in Parser.ini, tcpip.ini) - only DOMAIN GPO settings Password, Account, Kerberos - SMB signing adds over 10-15% overhead runs even on NT40 - Automatically log off users when logon time expires this affects only Server to disconnect sessions. Not interactive logons. net accounts /forcelogoff: /domain - NET ACCOUNTS and account file .CSV file: Name, Type, Description, Joe,User,, Sally,User,Account created for Sally, Betty,User,, Bob,, for /F "skip=1 tokens=1 delims=," %i in (file_name.csv) do net user %i /times:logon_times logon hours for wksta can be done only NET USER (no GUI)... - ICMP ICMP Redirect = default gateway can redirect packet to some better router connected to the same segment - this informs sender about the better route - host route with a 10-minute lifetime is added to the route table for that destination IP address ICMP Destination Unreachable-Fragmentation Needed = Windows 2000 dafaultly set DO NOT FRAGMENT flag in IP - !PMTU Discovery can be disabled for black-hole routers EnablePMTUBHDetect=1 - EnablePMTUDiscovery=1 or the packets will be WITHOUT !dontfragment - Maximum Transmission Unit (MTU) - tcpip updates its MSS (Maximum Segment Size) and the packets are always under MTU - use ping -f -l ICMP Router Advertisement = routers periodically send this to all-hosts (224.0.0.1) ICMP Router Solicitation = sent by hosts to all-routers (224.0.0.2) - PerformRouterDiscovery - SolicitationAddressBCast - Ping -f is for DON'T FRAGMENT Ethernet has MTU of 1500 bytes Token-Ring has MTU between 4,464 (4 MB token-ring) - 17,914 bytes (16 MB token-ring) FDDI has MTU of 4,532 IEEE 802.3/802.2 - 1492 bytes MTU X.25 - 576 bytes MTU IP over ATM - 9188 bytes of MTU MTU of local network card is discovered and anounced to TCP/IP services\tcpip\interfaces\mtu = current MTU services\tcpip\param\DatabasePath = HOSTS, LMHOSTS, ... %systemroot%\system32\drivers\ets - ATM connection oriented (traditional LANs are packet switching networks) uses VC = virtual circuit = prestaged virtual circuit (not as TCP with routing) small packets of 53-byte = predictable, optimized buffers and alghoritms no inherent limitation of speed (relies only on the maximum speed of transport medium) negotiates QoS for the transmition before VC is established (ensures the quality over the whole ATM network) - LPR Line Printer Remote LPR client e.g. LPD = Line Print Deamon (Unix) LPR/LPD are included in PrintServices for Unix - LPDSVC Service runs only over TCP/IP lpr.exe and lprmon.exe are used as clients for the printing onto Unix servers - Client & Print services for MacIntosh runs only over AppleTalk (and this is even automaticly installed) - Printing GPO: Prevent users from installing printer drivers on wksta defaults "Disabled", on srv defaults "Enabled" so "Users" can on wksta add printer drivers even if the drivers are not actually present on the system!!! PnP printers can be added even by ordinary Users (non Pnp only by Admins). USB printers can be detected automaticly LPT printers must be added by Wizard, but could be detected by the Wizard COM printers are NOT PnP compliant Network printers cannot be detected - AD is possible when DC is online (one of the AD features) Enterprise Admins & Schema Admins are universla groups (mixed mode global groups) only in the forest root - Security logs throughout computers @echo off del alllogs.txt for /F "tokens=1 delims=," %%i in (names.txt) do ( dumpel -l Security -S \\%%i >> alllogs.txt ) findstr /N /I /C:"ondra" alllogs.txt - MAC VPN restrictions not possible, use Certificate with L2TP for machine authentication instead - GUEST access guest is member of Domain Users, Domain Guests, Guests and Users GEUSTS Group members profiles are deleted on logoff (not when the user is also in Administrators) prihlaseni pres spatne jmeno a heslo = Guest/Karel - v auditu je videt jen LogOff tohle neni Anonymous Login = login z LocalSystem only - v auditu je videt jen LogOff telnet nedovoluje !!guest!! typ prihlaseni guest mapping works fine only for local accounts - domain does not! on XP, see security setting: "Network access: Sharing and security model for local accounts" this is not affected by "Additional Restrictions for anonymous users" - this is not anonymous logon - Telnet --is not true-- TelnetUsers - group for those users who should have access to telnet server (default only Admins???) is not any on W2k PRO only 2 licences are available on W2kSRV by default runs only over TCP/IP terminaly: VT100, VT52, VTNT, ANSI to run FAR: use settings "SET" before connecting to server and SET TERM=VTNT windows settings must be setup before connecting to server NTLM: 0 = none, 1 = try NTLM first, 2 = only NTLM - Virtual PC HKEY_CURRENT_USER\Software\Connectix\Virtual PC\4.0\Configuration\\Networking Ethernet Card Count = XXX 824510 How to Use the Virtual Switch Networking Setting to Assign a Network Adapter to a Virtual PC Guest PC 824509 Virtual Switch Networking Options in Virtual PC for Windows need NOT hardware reinstallation (not as VMWare) on different computers - Recovery Console 1) cannot delete any directory on the root, only files 2) cannot browse any directory on the root 3) cannot format removable media (A:\) 4) cannot copy anything from C:\ to e.g. A:\ (access denied), the other direction enabled more info Q318752 SET can modify some rules: AllowAllPaths = FALSE: This rule prevents access to folders and subfolders outside the system installation that you selected when you entered the Recovery Console. AllowRemovableMedia = FALSE: This rule prevents access to removable media as a target for copied files. AllowWildCards = FALSE: This rule prevents wildcard support for commands such as copy and del. NoCopyPrompt = FALSE: This rule means that you are prompted by the Recovery Console for confirmation when you overwrite an existing file. !!!!!!!!!!!!!!! Local Policy MUST BE ENABLED FIRST = "Recovery Console: Allow floppy copy and access to all drives and all folders" to enable use of SET command from console - DS Restore Mode Administrator Password / Recovery Console admin password setpwd.exe or NTDSUTIL.EXE = SAM Administrator password change when booted to DSRM, only SAM accounts are available, so Admin pwd can be changed!!! when installing ActiveDirectory, new SAM accounts are created after all previous accounts are upgraded and deleted - Force replication after tombstone interval HKLM\System\CurrentControlSet\Services\NTDS\Parameters Allow Replication With Divergent and Corrupt Partner = REG_DWORD = 1 - Set tombstone interval Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration - hardware ACPI - power saving features (MPS not) ACPI - codevelopped by Hewlett-Packard, Intel, Microsoft, Phoenix, Toshiba ACPI - !OS-directed configuration and power management Advanced Power Management (APM) APIs - older and supperseded transitioning CPU or devices to low-power states is at the direction of the OS (older archit. does this through BIOS) ACPI - devices can wake-up computer stand-by = CPU and hardware is idle, hw wakes up on interrupt, only power conservation suspended = the lowest power state to operate (even CPU is made suspended), can be invoked by BIOS on severe events (e.g. temperature) hibernate = software feature older applications can do wrong when the system is waked up => turnoff power management BIOS must support ACPI => when installing W2k, setup check for BIOS compliance (when motherboard supports it) and can disable this feature APM - older, supported by Windows 98, W2k detects and either AutomaticlyON, Disabled, NeutralAndCanBeEnabled = power options [APM] device driver can refuse standby Standby and Hibernate are disabled with Terminal Services hot-docking only with ACPI - Network Connection disabling = disables networkcard and vice versa - SYSPREP only used for NON-pnp device enumeration! - When "Computer Management" tells error when starting - disable IIS.msc when IIS is not installed - HOSTS file only single match, using more IPs for the same name has no effect - WIFI 802.11a, 802.11b, 802.11g, 802.11x MITM attack by my own AP, nondetectable only with some sniffer of wireless communication Open/close APs (advertise/not its presence and SSIDs) DSSS method = Discrete Sequence Spread Spectrum (around 2.4 GHz) FHSS method for BlueTooth (is not 802.11) = Frequency Hopping Spread Spectrum - SMB shares cannot work with aliases HKLM\LanManServer, DisableStrictNameChecking = DWORD = 1 - Restart service = restarts ALL stopped services !!!! the best solution for Server - TCP/IP Ephemeral port numbers (BSD sockets/WinSock range 1024 through 4999) - is above 1024 for clients, allocated automaticly! by IP stack to let clients communicate TIME_WAIT - must always expire, 240 seconds = 2x MSL = Maximum Segment Life Ephemeral port numbers can be exhausted (eg. FTP connections, no SMB = only one session for user/transport) Exhaused ephemeral ports = "address already in use" error BSD Sockets restricts <1024 only for superuser ephemeral range to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters MaxUserPort = valid 5000 - 65534 - Sdileni na XP Professional = max 10. Home = max. 5 - Duplikace AD ADPREP (je na instalaci v i386) - Tisk na W2k z DOSu net use lpt3 "\\server\printer" - je legalni prikaz z DOSu - XP and WEP SP0 enables WEP authentication without the authentication server SP1 requires authentication server to be present and kills the connection after 3 minutes - DFS dfsutil - Support Tools to troubleshoot PKT = Partition Knowledge Table = stores the topology and machine connects to one of its referals PKT = DFSName x UNCName PKT is in AD or in Registry (for stand-alone servers) DFS can use links even to NovelNetware fileshares DFS is site aware MUP.SYS je DFS klient, on resolvuje cesty 95 - downloadable client 98 - builtin client NT40 - builtin client - Cached credentials HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon ReportControllerMissing = REG_SZ = TRUE (uppercase!) HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon ReportDC = DWOrD = 1 - IPs and 169.254 APIPA Privates: 10. /8 172.16 /12 = n*16 = 16, 32, 48, 64, 80, 192.168 /16 RFC 3330 169.254.0.0/16 - This is the "link local" block = single link communication, autoconfiguration reserveds: 191.255.0.0/16 = highest B 192.0.0.0/24 = lowest C 192.0.2.0/24 = TEST-NET, example.com, example.net - v knizkach a dokumentaci 223.255.255.0/24 = highest C - Security SHA-1 = 160 b = 20 B MD5, MD4 = 128 b = 16 B RC2 = 40b, 128b RC4 = 40b, 128b DES = 64 b/ 56 b RSA = 512-2048 B MD4 = - Schannel = diffie/hellman provider - Automatic Discovery of Proxy nejede na NT40 a 95 either DHCP option 252 + DNS (useri remote access to nedostanou), or only DNS: http://wpad.domainsuffix.net:80/wpad.dat http://wpad.domainsuffix.net:80/wspad.dat - firewall service MUST BE LOWERCASE in DHCP NOT http://isaserver:8080/Wpad.dat, BUT wpad.dat - Preventing Local GPO from application NTFS permissions on "Registry.pol" - Slipstream of patches (Q828930 and drivers Q814847) only for Update.exe: - no registry key is added HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824146\Filelist - in Add/Remove programs is the patch listed, but no "Remove" button available = in i386 of installation edit "DOSNET.INF" [OptionalSrcDirs] svcpack = create i386\svcpack copy KBcislo.exe do adresare i386\svcpack decompress all files, keep only the latest versions of the patches (if some binary are of the same name) delete older versions from original i386 distribution if there are some subfolders in the patch, replace the original subfolder in i386 distribution = add non-added files into dosnet.inf [Files] = delete svcpack.in_ file = create new svcpack.inf and fill it appropriatelly - VPN from shortcut rasdial.exe cmak.exe = Connection Manager Administration Kit from AdminPack.msi - IE notes left from @ is ignored % is ignored www.paypal.com@%77%77%77.%61%7a.%72%75/%70%70%64 http://www.webservice.com:www.server.com@192.168.10.10/spampage.html username password Proxy can ignore addreses even from format xxx*xx*a* MICROSOT: www.microsoft.com@%77%77%77.%6d%69%63%72%6f%73%6f%74.%63%6f%6d www.microsoft.com%40%77%77%77.%6d%69%63%72%6f%73%6f%74.%63%6f%6d - NetBIOS b-node broadcasts = UDP datagrams - unattended.txt over winnt.sif only one method will work. - NODE type HKLM\...\SVCS\NetBT\Parameters NodeType = 1,2,4,8 (B,P,M,H) M - first broadcast - SNMP "public" common password MIB = Management Information Bases - Novell IPX/SPX Socket numbers: 0x451 = NCP Server 0x455 = NetBIOS 0x452 = SAP 0x453 = RIP Network numbers: 4 Byte, flat space, can use Network Masks (0xAB000000 / 0xFF000000 stands for AB000.. - ABFFF..) Windows Socket number = MAC+Network+Socket - Pro defaultni zmenu NodeType je nutno restartovat system! - Subnet broadcasts MAC = 0xffffff IP = subnet broadcast - Terminal Services port 3389 hklm/system/control/terminalserver/winstations/rdptcp/portnumber (dword) encryption: Low - secured logon and data to server Medium - secured everything with 40-bit (Client v5.0 uses 56-bit) Hig - 128-bit Cipher strength can be viewed from window properties/help/about CTRL+ALT+END - Windows Security ALT+PAGE UP / ALT+PAGE DOWN - switch programs ALT+HOME - start menu CTRL-ALT-BREAK - fullscrean CTRL+ALT+Minus, Plus - screen snapshots pasting enabled, but not files. printer redirection either automatic or manual by IP/name queue is lost when logging off. Terminal Services Internet Connector license - licence for 200 connections from internet. TsInternetUser = account for use with Internet Connector Licence - licence 2000 - 5x = 2 800,- 2003 - 5x = 20000,- TS - 5x = 6 300,- (je nutne mit i OS licence) www.autocont.cz W2k 9000,- XP Pro 9500,- XP Hom 6000,- w2k advsrv/50 135000,- /25 115000,- w2k srv /25 50000,- 03 srv /25 21000,- 03 entr /25 115000,- Perseat CALs are not required for servers (only for workstations) - ActiveX controls safe for initialization safe for scripting signed safe controls: - does not manipulate the file system - does not manipulate the registry (except to register and unregister itself) - does not overindex arrays or otherwise manipulate memory incorrectly - validates (and corrects) all input - does not misuse any data about the user or provided by the user ActiveX Control Pad: Inicializace, umístění v pozici na HTML stránce o velikosti dané parametrem: ID="jmenoInstance" CLASSID="CLSID:59CCB4A0-727D-11CF-AC36-00AA00A47DD2" CODEBASE="http://www.myown.com/ax.cab#version=1,0,0,1" WIDTH="500" HEIGHT="66"> CATID_SafeForInitializing = 7DD95801-9882-11CF-9FA9-00AA006C42C4 CATID_SafeForScripting = 7DD95802-9882-11CF-9FA9-00AA006C42C4 HKEY_CLASSES_ROOT\CLSID\{Class-guid}\Implemented Categories\{safeforwhat-guid} - IE Security Access data sources across domains - access to databases - Terminal Services Application Security Tool - Reskit restricts applications from running through CreateProcess(), but not NtCreateProcess() security: on RDP connection, on user account, user right - Move until reboot session Manager, PendingFileRenameOperations \??\karel.txt!\??\cilovysoubory - PPTP port 1723 - TCP/IP filters filter only inbound (not TCP connections originating on local) - COR do not filter loopback kills e.g. NSLOOKUP (UDP packets) - COR it is clear, that UDP is much more difficult to filter (allow) on firewalls (no connection made from inside, so how to determine the connection???) do not allow either RPC when only 135 is opened (the ephemeral should be opened too :-) = COR - DHCP Relay agent is NOT on W2k PRO - RIP v2 - multicasts, so RIPv1 routers cannoct receive the multicasting v1 - broadcasts v2 - can be configured to broadcast is traffic RIPv2 Authentication - cleartext password prevents receiving of unauthenticated clients RIP Peer Security - list of routers from which routes will be accepted RIP Route Filters - list of routes which are acceptable (e.g. 10.x.x.x) RIP Unicasting (Neighbors) - not using broad/multicasting. instead unicast to the list - WINS announces itself through 224.0.1.24 multicast. Other WINS can be configured to obtain it as replication partner - RPC over firewall HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet Port, REG_MULTI_SZ = 5000-5050, 5098 UseInternetPorts = Y/N (use the ports or not use the ports, but other yes) default is 1024-65535 (not registry configured) DCOM doesn't work through NAT - DCOM DCOMCNFG.EXE - Netlogon traffic not through NAT older clients running NT40/9x with NetBIOS Netlogon does not go through NAT Windows 2000 NAT does not edit IP in the NetBIOS header, so is wrong. - Device Manager set devmgr_show_nonpresent_devices=1 cd\%SystemRoot%\System32 start devmgmt.msc Hidden Devices - mountvol = volumne mountpoints - remote shutdown/reset/logogg Computer Management, Properties, ..., Shutdown - Stress tests BCM Diagnostics Pro RST Pro (RAM Stress Test, from Ultra-X) Micro2000 Ultimate Diagnostic Toolkit PCDOCRX QUICKTECH - METABASE editor pro IIS5.0 metaedit2.2 - Hardware Monitors are detected as "Default Monitor" when one of the following is not PnP: card, display driver, monitor. Even for NonPNP devices, the driver could be partially PnP enabled. ISA PnP - system only reserves their settings not to allocate them for PCI PnP. - Printer PORT Local can accept any file resource - even share name, shared printer name, ... To access the resource, user is impersonated! - Printing to file the file can be coppied to LPT1, COM3, ... the file can be sent by LPR.EXE to some network printer Digital turbo PrintServer 2.0 is PostScript printer, so files produced will be in the format. - PostScript printers Apple LaserWriter Digital turbo PrintServer 2.0 - File extension association in the registry HKCR .ini inifile\shell inifile\shell\open inifile\shell\open\command Directory - directory {20D04FE0-3AEA-1069-A2D8-08002B30309D} - MyComputer {208D2C60-3AEA-1069-A2D7-08002B30309D} - MyNetworkPlaces - Connect printer from CommandPrompt con2prt (RcKit) - Shell Folder redirection HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ User Shell Folders - IPP, Internet Printing Protocol uses HTTP for transport http://PrintServer/Printer http://MyPrintServer/LaserPrinter - by exact name - Printing policies "Prevent Users from installing printer drivers" - Additional printer drivers for 9x, NT only on Server distributions CD\PRINTERS\WIN9x, NT4 - Generic / Text Only printer driver prints only text to file - změna shellu GPO-User-Admin-System-Custom User Interface - MMC snap-ins can be disabled for user GPO-user-admin-wincomp-mmc - TCP/IP hardening against SYN flood SynAttackProtect = 0, 1,2 TcpMaxPortsExhausted TCPMaxHalfOpen TCPMaxHalfOpenRetried EnableDeadGWDetect = 0, 1 EnablePMTUDiscovery KeepAliveTime - NetBT name release attack Netbt\Parameters, NoNameReleaseOnDemand = 1 - Uninstall wrong items HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - RIS SP3 enables installation for Server and XP Prefessional 1023 ---> UDP 53 on server - COR potom zkousi TCP >1024 ---> TCP 53 on server - NOTCOR (possibly through registry ??) - automaticke otevirani souboru .DOC v Internet Exploreru "Folder Options", "File Types", ".DOC", "Advanced", "Confirm open after download" a "Browse in the same window" - Control Panel, Users control userpasswords control userpasswords2 - stara konzole dostupna ve Windows XP - autochk, chkdsk, chkntfs autochk - runs each startup (HKLM\...\Control\SessionManager\BootExecute = autocheck) chkdsk - actually checks the disks (even NTFS) - occasionally started by autochk.exe at startup - when volume cannot be dismounted, schedules the check for next boot - cannot manually schedule checks for boots (use chkntfs) chkntfs - schedules checks for restart, prints info about next scheduled checks, ... autochk = chkdsk by source code (autochk must run without virtual memory, so some changes occured). - 2003 default DC has SMB signing ON!!!! - SMB Signing only: 98 with DS Client NT40 with SP2 - Upadete to 2003 SMB Signing is on by default 2k must be SP3 ADPREP - /forestprer a /domainprep - Monitoring urad pro ochranu osobnich udaju Monitorování elektronické pošty a ochrana soukromí a osobních údajů zaměstnanců http://www.uoou.cz/stan_praxe_1_2003.php3 - APIPA IPAutoconfigurationEnabled = DWORD = 0/1 PerAdapter!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 3-minutes APIPA timeout for DHCP DISCOVER - GDISK, GHOST gdisk /status ... status gdisk /cre ... create partition gdisk /del ... delete partition gdisk /cre /pri /sz:15 ... cre-ates pri-mary partition of 15 MB size gdisk /del /pri:nth ... del-etes the nth pri-mary partition - i386, install folder, not from CD HKLM\Soft\MS\Windows NT\CurrentVersion HKLM\Soft\MS\COM3\Setup HKLM\Soft\MS\MSDTC\Setup HKLM\Soft\MS\Transaction Server\Setup - VPC konfigurace MAC .vmc file is XML ... ethernet_card_address - NETSTAT in 2003 netstat -o ... displays PID - TCP/IP filtering ICMP is not filtered!!!! it is "its own protocol", not IP protocol - MSL HKLM\...\TcpIp\Parameters TcpTimedWaitDelay = DWORD = 30-300 s. (Default 120s) - DNS Client Negative caching - caches even negative queries, so after correction still not working To stop negative caching: NegativeCacheTime, NegativeSOACacheTime, NetFailureCacheTime = DWORD = 0 - IPv6 XP = download - Advanced Networking Pack for Windows XP 2003 = native 2000 = NO SUPPORT from MS - Router Discovery client joins 224.0.0.1 = all hosts router joins 224.0.0.2 = all routers routers send "router advertisements" to 224.0.0.1 (to all hosts) clients can send "router solicitations" to all routers (224.0.0.2) on client - HKLM\..\TCPIP\Param\Interface\PerformRouterDiscovery = DWORD = 1 on server - RRAS configuration, Enable Router Discovery. SolicitationAddressBCast = DWORD = 1 ... not multicast, but broadcast. - Multicasting routers transmit multicasts! client do not need to be member of multicast group to send them packets IP 225.0.0.5 => Ethernet Multicast 01-00-5E-00-00-05 - ACK, delayed ACK, SACK Support on Win2000: windows sends ACK only when one is needed and NO DATA arrived for past 200 ms. SACK - aknowledge even non continuous data received (specifies even lower edge) - MAC address 24-bits = vendor OUI or Company_id = defined by IEEE http://standards.ieee.org/regauth/oui/index.shtml next 24-bits = vendor specific examp.: 0003FF = Connectix - Network Monitor Driver usable only with SMS version of monitor - MBSA MBSACLI - use /HF switch to get only list of missing patches. - MSI samples adminpack.msi admx.msi mbsa.msi twcli32.msi Books Online updated PPTVIEWER.MSI!!!!!! - WINS and NetBIOS NetBIOS Scope ID HKLM\..\NetBT\Parameters\ScopeID=REG_SZ=scopeID WINS Proxy server HKLM\..\NetBT\Parameters\EnableProxy = REG_DWORD = 1/0 Query DNS when netbios is unsuccessfull HKLM\..\NetBT\Parameters\EnableDns = REG_DWORD = 1/0 - DNS Scavange must be enabled both on Server and Zone full age of existing records can be done by DNSCMD refresh intervals: - restart - every 24 hours - DHCP allocations on shutdown, machine deregisters its record - Netlogon's DNS registrations System32\Config\netlogon.dns can be manually added into the DNS server, when dynamic updates are not allowed - SUS client neccessary only for Win2000 SP2-- and XP SP0 configure: improt wuusu.adm template set "Specify intranet Microsoft update" to point to SUS server - Windows XP fast logon option used to logon users without having initialized the network (from cache!!!) only not use for: - first logon users - users with roaming profiles - DNS Wildcarding *.microsoft.com MX 10.0.0.5 will produce possibilities such as petr@exchange.microsoft.com but not petr@microsoft.com - Resource Kits on TechNet http://www.microsoft.com/windows2000/techinfo/reskit - IE automatically detect settings DHCP option 252, with string property, URL to .INS configuration file or DNS record for WPAD - http://wpad.domain.com:autodiscoveryport/wpad.dat the name of the file must be right "wpad.dat" When configuring ISA server for autodiscovery, it must be enabled. - URLScan prevents: AllowDotInPath=0 --> "/abc.dll/foo.bar.htm" for .DLL, .COM, .EXE extracting URLScan from IIS Lockdown: iislockd.exe /q /c /t:c:\lockdown_files Log is located in: %WINDIR%\System32\Inetsrv\Urlscan\Urlscan.log configuration: Urlscan.ini - PCI VendorID/DeviceID/SubsystemID/RevisionID vendor IDs: http://pciids.sourceforge.net/iii/ www.pcidatabase.com - IIS Lockdown Tool undo configuration start "IIslockd.exe" this does not reenables any of the removed services - Make Kerberos use TCP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters MaxPacketSize = DWORD = 1 - Computer password change HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = REG_DWORD = 0/1 MaximumPasswordAge = REG_DWORD = 1-1000000 days - RRAS Tracing HKLM/Soft/Microsoft/Tracing !!!!! tracing files to C:\WINNT\Tracing - UserEnv debug logging HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlog UserEnvDebugLevel = DWORD = NONE 0x00000000 NORMAL 0x00000001 VERBOSE 0x00000002 LOGFILE 0x00010000 DEBUGGER 0x00020000 %SystemRoot%\Debug\UserMode\Userenv.log - Reinitialize EFS recovery agent regsvr32 -u sclgntfy.dll regsvr32 sclgntfy.dll previous policy certificate MUST be deleted! - vygenerovat "EFS File Recovery" certificate cipher /R (only on 2k3) !MUST import the .pfx file into admins profile - newly created key pair!! - EFS imported EFS encryption certificate cannot use "Strong protection for private key" EFS does not support strong protection - Public Key always??? contain 3081 8902 8181 at the beggining 0301 0001 at the end ??????????????????????????? - EFS new encryption key pair for user cipher /K - EFS renew all DEFs and DDFs in all files on local drives cipher /U - WinInstall LE 2003 by OnDemand software www.ondemandsoftware.com - ISO image is ISO 9660 for floppy image use DD.EXE - Clear all Windows Installer (.MSI) info from registry and Add/Remove Programs Support Tools/MSICUU.exe - Convert username to SID Resource Kit/GetSID.exe - Instead of SETX you can use PATHMAN - EFS in XP uses AES 256 (not DESX) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS AlgorithmID = DWORD = 3DES112 = 0x6603 (FIPS 140-1 compliant algorithm) DESX128 = 0x6604 (the only for Windows 2000) AES256 = 0x6610 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\RSAKeyLength Range: 1024 to 16384. - FIPS Federal Information Processing Standards FIPS 140-1 = Security Requirements for Cryptographic Modules - Get MS-DOS bootable floppy diskette XP: Explorer/Format/Make DOS boot diskette - MS-DOS, MSDOS troubleshooting Q314106 Should have only: Config.nt --------- dos=high, umb device=%SystemRoot%\System32\Himem.sys files=20 Autoexec.nt ----------- lh %SystemRoot%\System32\Mscdexnt.exe lh %SystemRoot%\System32\Redir lh %SystemRoot%\System32\Dosx lh %SystemRoot%\System32\Nw16 (only if CSNW is installed) lh %SystemRoot%\System32\Vwipxspx (only if CSNW is installed) Ntio.sys, Ntdos.sys, Ntvdm.exe, Ntvdm.dll, Redir.exe IANA numbers ---------------------- http://www.iana.org/numbers.html - Disable DNS dynamic update: System\CurrentControlSet\Services\Tcpip\Parameters DisableDynamicUpdate = REG_DWORD = 1/0 - clients DNS dynamic update if enabled - with static IP, the client (DHCP Client!!!!) registers both A and PTR. - with static IP, NO DEregistration is performed - use scavenging! - TS Licensing Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters DefaultLicenseServer = REG_SZ - overrides License Servers discovery process TS uses LS in their own domain (if not specified else with the registry) discovery: - RPC to ALL DCs in TS domain - if not found, query AD for Enterprise License Server monitoring: lsreport (from RKit) - Inet zjistovani www.dnsstuff.com (i SPAM test) ip.iol.cz whois.ripe.net www.ripe.net/whois, www.completewhois.com www.internic.com GRC port scan whois (UNIX) www.iana.org - TCP/UDP ports - DNS root hints actual version IEWatch - Regedit histories CU\Soft\MS\Win\CV\Applets\Regedit CU\Soft\MS\Win\CV\Explorer\RunMRU - Switching technics Cut-through (after first 12 bytes for ethernet) Store-and-Forward Fragment-Free-Switching (first 64 - most errors) circuit switching packet switching - ADSL cca 6-8 MB/600-800 Kb na 5 km pro klasicke dratove spoje - SNMP .0 .ccitt .2 .joint .1 .iso .3. 6. 1 .org.dod.internet .mgmt = 2 .private = 4 .microsoft = 311 MSFT.MIB = 1.3.6.1.4.1.311 DHCP - 311.1.3 WINS - 311.1.2 FTP - 311.1.7.2 HTTP - 311.1.7.3 snmputil mibcc (compiles my own MIB file - e.g. MSFT.MIB) HKLM\Sy\CCS\Services\SNMP\Parameters\ExtensionAgents UDP 161 - listing from Agent UDP 162 - Manager listens for Traps .1.3.6.1.2.1.2.2.1.8 .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOperStatus .0 - single value (or the number of the table's row) traps: ColdStart, WarmStart, LinkDown, Linkup, authenticationFailure, egpNeighborLoss, enterpriseSpecific http://www.oreilly.com/catalog/esnmp/chapter/ch02.html http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/cnet/cneb_snp_ahdt.asp as na spodku: http://www.microsoft.com/technet/prodtechnol/winntas/maintain/getting.mspx http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2&mibName=IANAifType-MIB - Add workstations to domain limit 10 - ms-DS-MachineAccountQuota attribute only applies to users doesn't granted DS ACL of CREATE_COMPUTER_OBJECT - FWClient 04 config %allusersprofile%/AppData/MS/FwClient04 %userprofile%/Local Settings/AppData/MS/FwClient04 common.ini management.ini application.ini locallat.txt [TrayIcon] TrayIconVisualState=1 ICQ.EXE [icq] mspclnt_i.log - commands to manage AD dsadd, dsrm, dsquery, dsget, dsmov csvde - csv import/export eventtriggers - event triggers setting - Special DHCP messages and DHCP options DHCPINFORM DHCP INFORM - only from client to server (if know server's IP, unicast, otherwise broadcast!) - "ask for additional information", client MUST have IP configured - server responds WITHOUT any check on allocations - sends DHCPACK message with the parameters - for manually configured machines to pick up some additional settings - or to get other DHCP options from DHCP server DHCP FORCERENEW - unicast to clients from DHCP server to switch them to the RENEW state to try to obtain renewal by standard means The same meaning with different terms: in BOOTP - vendor extensions in DHCP - options DHCP packet contains SNAME field - Host Name OPTIONS included in DHCPDISCOVER can contain SUGGESTED configuration parameters OPTIONS included in DHCPOFFER can contain options submited from server - client options: parameter request list requested IP address IP address lease time - RAS and DHCP leases RAS leases itself from DHCP server several IP addresses, and provides clients with ONLY THE IP ADDRESS which HAS NO LEASE TIME (so client shows leasstart=leasexpires). Their lease expires when they disconnect. No options from DHCP server are passed to clients only when RAS server is itself configured with: WINS Server address DNS Server address it will pass it to the clients itself - RAS/DHCP 10 leases HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\IP InitialAddressPoolSize = REG_DWORD = def:10 leased addresses are cached in registry when DHCP server is unavailable, RAS issues APIPAs - DHCPINFORM to detect rogue DHCP servers or authorized ones when server is not a member of AD, it issues DHCPINFORM and detects this way other DHCP servers. When none of them is present, it issues DHCPINFORM again each 5 min. - LSA secret for machine account password $MACHINE.ACC RESOURCE$ (on MaSTER), G$$MASTER (on RESOURCE) - RESOURCE domain trusts MASTER domain HKLM\Security\Policy\Secrets - G$$MASTER \SAM\SAM\Domains\Account\Users\Names - RESOURCE$ - DNS and EDNS0 packet sizes original DNS allows only UDP packet sizes of 512 bytes. EDNS0 allows client to tell the server, what the maximum size is allowed - by using OPT RR in request HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters MaximumUdpPacketSize sometimes blocked by firewalls (assuming some kind of overflow attack) dnscmd /config /EnableEDNSProbes - DNS server probes/or not other servers whether they use EDNS - Vypnout USB disk detekci usbstorage.sys ?.inf - VPN L2TP IPSec with preshared key secret How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication Q240262 manual creation of IPSec tunnel. - VPN L2TP without encryption HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters ProhibitIpSec = REG_DWORD = 1 - RRAS creates IPSec policy rule in the running! IPSec policy agent so when need to restart IPSec policy agent, RRAS must be restarted next as well!!! - IPSec troubleshoot without IPSecMon netdiag /test:ipsec /debug - DNS server query runs from DNS port UDP 53 can be changed in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\SendOnNonDnsPort - Remote Registry access HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers winreg = zabezpeceni klice urcuje ty, co muzou pristupovat winreg\AllowedPaths - ktere klice povoleny, bypasses zabezpeceni na winreg - CCS\Control\LSA RestrictAnonymous = 2 ... everyone does not contain anonymous logon ... means "No access without explicit anonymous permissions" RestrictAnonymousSAM ... je samostatna volba - Anonymous access (NULL session) Shares accessible anonymously Logon from network Bypass traverse checking - Anonymous enum of shares \\ip\IPC$ \\ip\pipe\srvsvc Do not allow enumeration of shares - NENI potreba povolovat!!!! - SP2 RPC settings (not working from Windows 2003) HKLM\Software\Policies\Windows NT\RPC EnableAuthEpResolution = clients will automaticly authenticate RestrictRemoteClients = 0,1 (only for nonauthenticated endpoints), 2 (without exceptions) - XP SP1 UDP timeout UDP timeout = 90 sec Broadcast timeout = 3 sec - WebDAV redirector does not support HTTPS supports basic and other authetications (basic is disabled by default in XP SP2) HKLM\SYSTEM\CCS\Services\WebClient\Parameters\UseBasicAuth (DWORD) to GET a script source, WebDAV uses MS's extension header translate: f - Disabling BASIC Authentication from clients HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ DisableBasicOverClearChannel disables BasicAuthentication over nonHTTPS connections (from any WININET API user - IE etc.) - GPO ADM files Administrative Templates - coppied from %windir%\inf to ADM folder in GPO each time the timestamp of those in \inf folder is newer then in ADM! prevent: User Configuration\Administrative Templates\System\Group Policy "Turn Off Automatic Updates of ADM Files" Edit GPO from the SPx or new operating system release to let them update. - Gratutious ARP packet packet used to announce your presence without being generated in response to any request from other machine. disable this: \System\CurrentControlSet\Services\TcpIp\Parameters ArpRetryCount = 0 (NT) ArpRetryCount = 1 (2000) IP address conflict DISABLES the interface and RE-broadcasts the original ARP to restore others ARP caches - Important TCP/IP settings ArpAlwaysSourceRoute DisableIPSourceRouting - is disabled BY DEFAULT in Windows 2000 EnableICMPRedirects - ICMP redirects this adds a new HOST route to the local routing table! - Windows\Inf\NetFw.Inf windows firewall installation file firewall must be restarted after settings uploaded: netsh firewall reset ICF.AddReg.StandardProfile - computer not connected to the domain network ICF.AddReg.DomianProfile - computer connected to domain's network - AD Settings Services\NTDS\Properties\TCP/IP Port - port for replication HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters - LdapSrvPriority priority registered for LDAP SRV record - Passwords in Active Directory userPassword (UTF-8 write only attribute) unicodePwd (unicode password must enclose in quotes) dsHeuristics - 9. byte specifies whether userPassword is real attribute or an alias for unicodePwd. MD5 hashed password (helloworld) - {MD5}/F4DjTilcDIIVEHn/nAQsA== - NDS Novel Directory Service uses NDAP - Novel Directory Access Protocol, comes over NCP NCP works over IPX, IPX encapsulated in IP and since NovelNetware v5 over IP - ADSI Edit LDAP signing and sealing (encryption) on/off HKLM/Soft/Win/CV/AdminDebug ADsOpenObjectFlags = DWORD 1 - disable signing 2 - disable encryption 3 - disable both - LDAP search Filter Types and expressions (RFC 2254) ! not | or & and = <= >= = equal with * wildcard ~= like >=, <= objectClass - cannot contain * - Network Load Balancing - NLB nlbmgr.exe MaskSourceMAC - REG_DWORD = 0 - pri unicastu nemaskuje spolecnou MAC adresu - System Restore Monitored File Extensions Whole registry (but some actual auth. and security info is COPPIED!!!!) User Profiles - local only Windows File Protection cache IIS Matabase DLL, EXE, SYS, INI!!!, OCX, MANIFEST, CMD, BAT all other NOT-known? Ne: zadny z explicitne znamych (napr. DOC, TXT, MDB, LDB, ADM, PDF, HTM, XML, ...) Registry and File Excemptions: HKLM\system\currentcontrolset\control\backuprestore\KeysNotToRestore HKLM\system\currentcontrolset\control\backuprestore\FilesNotToBackup Ne: SAM hives - RIS only one volume SIS is FS filter driver and cannot be stopped - RIS exclude SIS folders Global solution for all volumes: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Groveler\ExcludedPaths folder_name = REG_SZ = \cesta For particular volume: SIS Common Store\grovel.ini [Excluded Paths] Folder2 directory = \Folder3 - Local certificate template cache HKCU\SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache HKLM\SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache delete the keys and invoke GPUPDATE to refresh -------------------------------- ActiveX 0) MSRDP (TSWeb) Remote Desktop Web Connection 1) HTTP GET (html + gif) 2) tag: "Run activeX Controls and Plug-ins" 3) ano: mám ho v počítači? 5) ne: "Download Signed/Unsigned controls" pokud jsou obě vypnuté, žádné stahování nebude. v případě alespoň jedné volby povolené, download... 4) HTTP GET msrdp.cab 5) je "signed" nebo "unsigned" a je to povoleno s dotazem, potom dotaz... 6) dialog: "Install MSRDP control from MS?" 7) ano: instalace a spuštení, OK. 8) click on connect, script... "Script activeX controls marked safe /unsafe for scripting" 9) ano: run it. safe for script: IObjectSafety nebo... [AddToRegistry] ; safe for install HKLM,"SOFTWARE\Classes\CLSID\{}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}" ; safe for scripting HKLM,"SOFTWARE\Classes\CLSID\{}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}" registry: HKCR\CLSID\id ---> TypeLib (GUID) ----> HKCR\TypeLib\TypeLibID ----> HKCR\Interface\interfaceID\TypeLibID ???? out-of-process ????? "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls" - Named Pipes LanManServer: NullSessionShares, NullSessionPipes (but hardcoded null session pipes: lsarpc, wkssvc, samr, srvsvc, netlogon, browser removed in XP SP2 and 2003 SP1 but added to NullSessionPipes key) lsass = nelogon (alias) ntsvcs = browser (alias) resultant set of NULL accessibles: wkssvc and srvsvc not accessible on 2003 SP1 by NULL Named Pipes firewall: PipeFirewallActive, AllowedPipes lsarpc - SID/Name translation samr - enumeration of SAM accounts (on DC ACL is based on Pre-Windows 2000 Compatible Access) srvsvc - NetShareEnum, NetServerTransportEnum, NetServerGetInfo, ... wkssvc - NetWkstaGetInfo, NetWkstaTransportEnum, ... svcctl - service controller (add, remove service, ...) TOOLS: pipeacl, lsaacl - IE Local Machine Zone Lockdown Mark of the Web comment: - WSUS klient: wuauclt.exe /resetauthorization /detectnow /resetauth. deletes client's cookie determining his computer "group" (the cookie normally expires after one hour) versions: 5.4 no SSL support, only 80 to SUS 5.8 included in XP_SP2 and 2k3_SP1 (WSUS aware) - POP3 connector troubleshooting %program files%/SBS/Networking/POP3/Incoming Email - after POP3 put here and remain here if corrupted %program files%/Exchsrv/Mailroot/VSI 1/PickUp - moved here by CDO to let SMTP to pick them up and deliver %program files%/SBS/Networking/POP3/Failed Email - error with SMTP server reregistering SMTP event sink: %program files%\microsoft windows small business server\networking\pop3\imbreg.exe view event sinks: smtpreg.vbs /enum > eventsinks.txt - Port scan GRC port scan from web - Deleted Items Retention (exchange) SHIFT-DEL in outlook deletes messages immediately, not retening them. - HKLM/So/Ms/Exchange/Client/Options/DumpsterAlwaysOn = DWORD = 1 - Outlook startup parameters outlook creates default folders in appropriate language, when first started. can reset language later. command-line switches in outlook's help /resetfoldernames - resets names to the correct language and creates also the deleted folders. - Exchange 1 GB limit exceed for 15/16 GB HKLM\...\Svc\MSExchIS\Server\...store...\Temporary DB Size Limit Extension = DWORD = 1 - Exchange 75 GB limit HKLM\.Svc.\MSExchIS\Server\..store..\Database Size Limit in GB = DWORD = 75 10% procent free space or event log message from IS stating the limit is approaching. HKLM\.Svc.\MSExchIS\Server\..store..\Database Size Buffer in Percentage = DWORD = 10 Database Size Buffer Warning = 75% db used Database Size Check Start Time in Hours From Midnight = 4 hod will dismount db. - exclude user from Mailbox Management user object attribute: msExchPoliciesExclude = {3B6813EC-CE89-42BA-9442-d87d4aa30dbc} - Prohlizec Information Store Exchange 2003 mdbvue32 - utilita na Exchange CD/Support/Utils - Strip attachments from NDR in Exchange HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPSVC Key: Queuing MaxDSNSize = REG_DWORD size limit in bytes. - SQL Server database suspect sp_resetstatus it is a bit in SYSDATABASES, Status = Status & ~256 or go to so called emergency mode: Status = Status | -32768 this prevents restoring the database when SQL starts. Use SINGLE USER MODE DBCC CHECKDB - Exchange DSAccess cache timeout a keep-alives CacheTTLConfig = DWORD = x sec LDAPKeepAliveSecs = DWORD DisableNetlogonCheck = DWORD = 1 - Exchange OWA timeouts MSExchangeWeb/OWA PublicClientTimeout = DWORD = minutes TrustedClientTimout = DWORD = minutes - LDAP Bit searches (How to Specify Comparison Values) 1.2.840.113556.1.4.803 = LDAP_MATCHING_RULE_BIT_AND 1.2.840.113556.1.4.804 = LDAP_MATCHING_RULE_BIT_OR 1.2.840.113556.1.4.1941 = LDAP_MATCHING_RULE_IN_CHAIN ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) (&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648)) userAccountControl ADS_USER_FLAG_ENUM ADS_UF_ACCOUNTDISABLEADS_UF_ACCOUNTDISABLE = 0x2 binary searches: 0x00000004 is encoded as \00\00\00\04 special characters: * \2a ( \28 ) \29 \ \5c NUL \00 Date time searches: UTCTime: YYMMDDHHMMSSZ (&(objectCategory=user)(whenCreated=991122000000Z)) GeneralizedTime: YYYYMMDDHHMMSS.0Z (whenCreated=19990323205258.0+1200) Boolean: TRUE, FALSE GUID: {BF967ABA-0DE6-11D0-A285-00AA003049E2} (schemaidguid=\BA\7A\96\BF\E6\0D\D0\11\A2\85\00\AA\00\30\49\E2) SID: "S-1-5-21-1935655697-308236825-1417001333" (ObjectSid=\01\04\00\00\00\00\00\05\15\00\00\00\11\C3\5Fs\19R\5F\12u\B9uT) - LDAP query limit HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Directory QueryLimit = DWORD - OID Popis: http://www.alvestrand.no/objectid/ Vyhledavani: http://asn1.elibel.tm.fr/en/oid/index.htm Pozadavek na OID: http://www.iana.org/cgi-bin/enterprise.pl IANA registry: http://www.iana.org/assignments/enterprise-numbers Microsoft: 1.3.6.1.4.1.311 http://support.microsoft.com/kb/287547/EN-US/ - Hide user from welcome screen HKLM\So\Ms\WNT\Winlogon\SpecialAccounts\UserList userName = DWORD = 0 - SBS infos HKLM/Soft/MS/SmallBussinessServer /RemoteUserPortal/Port = 4125 /RemoteUserPortal/SendMail = 1 (sends invitation email) /Network/POP3 Connector/DeleteFromServer HKCU/Soft/MS/SmallBussinessServer /Administration/AUWLogonNameOption = 1, 2, 3, 4 %sbs program dir%/Administration/samplemail.htm %sbs program dir%/Networking/ICW/autoicwscript.vbs %sbs program dir%/ClientSetup/apps.dat (then in /Clients/response/pocitac) - custom Exchange OWA forms based authentication %exchsrv%/exchweb/bin/auth/usa/logon.asp - Virtual PC (VPC) host time synchronization integration/microsoft false - IIS 6.0 SSL for host headers (only 2k3 SP1) note: HKLM\Svc\HTTP\Parameters\EnableKernelSSL = DWORD = 1 - this disables user/client certificates cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:" - Exchange Recipient Update Service email address wild cards %g - given %s - surname %i - initial name %m - mailbox alias %3g - prvni 3 znaky ze jmena %rxy - nahradi znak x znakem y %d - display name %g.%rxy%s - Exchange restore and ESEUTIL backup details: http://support.microsoft.com/kb/296788 /cc - hard recovery /cm - look in Recovery.ENV /mh - check consistency offline /d - defragment offline with at lease 110% of free space - IMF (intelligent message filter) together with POP3 Connector is not working (misses "End of Data" event sink by using PickUp folder by CDO) - RPC over HTTP troubleshooting rpcping.exe -t ncacn_http -s ExchangeServerName -o RpcProxy=ProxyServerName -P "user,domain,*" -H 1 -u 10 -a connect -F 3 -E -R none http://support.microsoft.com/default.aspx?scid=kb;en-us;831051 - IIS 6 Basic Authentication token cache (only for Basic, for Win it is not used) HKLM\System\CurrentControlSet\Services\Inetinfo\Parameters FlushTokenCache UserTokenTTL - mereni rychlosti pripojeni (internet connectivity speed measurement) www.dsl.cz - Freedocs in Exchange are not visible through OWA ...\MSexchangeWeb\owa\ EnableFreeDocs = DWORD = 0 - blocked 1 - from BEs 2 - from BEs and specific FEs 3 - from all - SCL (spam confidence level) in OWA is possible to be viewed. - Reset GPO (Group Policy) dcgpofix - Automatically search for network folders and printers disabled when domain, more than 32 computers, over VPN. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ NoNetCrawling = DWORD - Tarpit for Exchange 2003 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters TarpitTime = DWORD = seconds - Sender ID (SenderID) www.anti-spamtools.org - Offline files extensions not cached *.slm;*.mdb;*.ldb;*.mdw;*.mde;*.db?;*.pst to remove *.pst, use the policy and preserve all the others! - Reinstall Automatic Updates Client rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %systemroot%\inf\au.inf - OWA publishing HTTP verbs/commands only necessary GET POST PROPFIND PROPPATCH BPROPPATCH MKCOL DELETE BDELETE BCOPY MOVE SUBSCRIBE BMOVE POLL SEARCH - request URL block list ./ % \ - RPC/HTTP (RPCoverHTTP) HTTP verbs only necessary RPC_IN_DATA RPC_OUT_DATA - AD, Kerberos and Netlogon ports trusts: hklm\svc\ntds\parameters\tcp/ip port hklm\svc\netlogon\parameters\dc tcpip port - NTAuth store dsstore ldap://domain/cn=NTAuthCertificates,CN=Public Key Services,CN=services,CN=Configuration,DC=... attribute: cACertificate GP refresh stores registry information on client computers under: HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates - Certificates Domain Controller: SSL authentication, SMTP encryption, RPC signing, smartcard logon process subject: CN=server1.northwindtraders.com,OU=Domain Controllers,DC=northwwindtraders,DC=com key usage: Digital Signature, Key Encipherment enhanced key usage: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1) Subject Alternative Name: guid a DNS jmeno Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9 DNS Name=server1.northwindtraders.com Web Server: Server authentication Smart Card User: Smart Card Logon Client Authentication Secure Email - Enhanced Key Usages certificate templates/rightclick/view OIDs Client Authentication: 1.3.6.1.5.5.7.3.2 Server Authentication: 1.3.6.1.5.5.7.3.1 Code Signing: 1.3.6.1.5.5.7.3.3 Smart Card Logon: 1.3.6.1.4.1.311.20.2.2 File Recovery: 1.3.6.1.4.1.311.10.3.4.1 Key Recovery: 1.3.6.1.4.1.311.10.3.11 - Check certificate validity full + revocation list download certutil -verify -urlfetch - ADO ConnectionString (connection string) strCon = "Provider=sqloledb;Data Source=myServer;Initial Catalog=Northwind;User Id=usr;Password=pwd" set conn = Server.CreateObject("ADODB.Connection") conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0" conn.open server.mappath("database.mdb") conn.close - Rogue DHCP detection HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dhcpserver\Parameters DisableRogueDetection = DWORD = 1 - RPC (DCE/RPC) www.opengroup.org !!!!! http://www.hsc.fr/ressources/articles/win_net_srv/ch04s09s02.html Remote Management Interface afa8bd80-7d8a-11c9-bef4-08002b102989 Enpoint Mapper Interface (rpcss) e1af8308-5d1f-11c9-91a4-08002b14a0fa Local Endpoint Mapper Interface (rpcss) 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b DgbIDL (rpcss) ( debugging RPC Services since XP RPC Troubleshooting State Information ) 1d55b526-c137-46c5-ab79-638f2a68e869 Active Directory replication interface: e3514235-4b06-11d1-ab04-00c04fc2dcd2 Active Directory backup interface: ecec0d70-a603-11d0-96b1-00a0c91ece30 Active Directory restore interface: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 Active Directory DSRole interface: 1cbcad78-df0b-4934-b558-87839ea501c9 Active Directory DSAOP interface: 7c44d7d4-31d5-424c-bd5e-2b3e1f323d22 Active Directory Name Service Provider (NSP) interface (exchange): f5cc5a18-4264-101a-8c59-08002b2f8426 NTFRS FrsRpc operations interace: f5cc59b4-4264-101a-8c59-08002b2f8426 NTFRS NtFrsApi interface: d049b186-814f-11d1-9a3c-00c04fc9b232 NTFRS PerfFrs interface: a00c021c-2be2-11d2-b678-0000f87a8f8e Init Remote Shutdown Winlogon Interface: 894de0c0-0d55-11d3-a322-00c04fa321a1 DCOM (rpcss, COM Service Control Manager) 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 : IActivation (also called IRemoteActivation::RemoteActivation) c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0: IMachineActivatorControl b9e79e60-3d52-11ce-aaa1-00006901293f v0.2:IROT 412f241e-c12a-11ce-abff-0020af6e7a17 v0.2: ISCM e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0: ILocalObjectExporter 99fcfec4-5260-101b-bbcb-00aa0021347a v0.0: IOXIDResolver 00000136-0000-0000-c000-000000000046 v0.0: ISCMActivator 000001a0-0000-0000-c000-000000000046 v0.0: ISystemActivator DCOM Interfaces hosted by a typical DCOM server: 00000001-0000-0000-c000-000000000046 v0.0 (IUnknown) 00000131-0000-0000-c000-000000000046 v0.0 (IRemUnknown) 00000132-0000-0000-c000-000000000046 v0.0 (ILocalSystemActivator) 00000134-0000-0000-c000-000000000046 v0.0 (IRunDown) 00000143-0000-0000-c000-000000000046 v0.0 (IRemUnknown2) 18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0 (IOrCallback) - downloaded .NET components cannot instantiate GAC components downloaded components are placed into %systemroot%/assembly/download clear all downloaded components: gacutil /cdl - Quota limiting ISA 2004 http://www.digirain.com/tquota/ - disable Media Sense HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters DisableDHCPMediaSense = DWORD = 1 DisableClusSvcMediaSense = DWORD = 1 (srv 2k3 SP1) - AD (ADS, ADs, IADs) flagy ADS_USER_FLAG_ENUM ADS_GROUP_TYPE_ENUM - LDIF (LDF) syntaxe http://www.ietf.org/rfc/rfc2849.txt?number=2849 .LDF minimal attribute set: dn: CN=...,DC= (CN, DN, etc must be case sensitive) sAMAccountControl: .LDF can contain: changeType: add (means add an object) delete (means delete an object) modrdn newRdn: cn=ondra deleteOldRdn: 1 deleteoldrdn: 0 newsuperior: ou=Accounting, dc=airius, dc=com changetype: modify add: postaladdress (adds aditional address into, NESMÍ existovat stejná hodnota) postaladdress: 123 Anystreet $ Sunnyvale, CA $ 94086 - delete: description - replace: telephonenumber telephonenumber: +1 408 555 1234 telephonenumber: +1 408 555 5678 delete: facsimiletelephonenumber (deletes the specific value from fax) facsimiletelephonenumber: +1 408 555 9876 replace: postaladdress (replaces with empty) unicodePwd: Base-64 change password (delete and add, Base64 encoded): changeType: modify delete: unicodePwd unicodePwd::"stareheslo" - add:unicodePwd unicodePwd::"noveheslo" set password (modify, Base64 encoded - heslo "", potom do UNICODE! a na konec do BASE64): changeType: modify replace: unicodePwd unicodePwd::"heslo" - CANNOT IMPORT: memberOf badPwdCount: badPasswordTime: lastLogoff: lastLogon: logonCount: objectGUID: objectSid: primaryGroupID: pwdLastSet: sAMAccountType: - 636 LDAPS (LDAP over SSL, LDAPoverSSL) ldifde -s serverFQDN serverFQDN must be in CN in Subject of the certificate - HTTP Cache control Server indicates the expiration Expires: (can be in the past to require revalidation) Cache-control: max-age (takes precedence over Expires) Server indicates last modification and the time of response generation Last-Modified: Date: Cache indicates the entry age (only inserted by 1.1 caches allong the way): Age: Freshness lifetime: Expires - Date Cache-control: private, max-age=2592000 Cache-control: no-cache Cache-control: no-store (do not store on disk) Pragma: no-cache Expires: 0 Cache-control: private (private and MUST NOT be cached by a shared cache) dynamic content is URL with ? - Badmail HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPSVC MaxBadMailFolderSize = DECIMAL = 0 / max.velikost / FFFFFFFF BadMailSyncPeriod = DECIMAL = minutes to check the size BadmailAdmin.exe - Disable client GPO HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System DisableGPO=dword:00000001 taky v HCU pro uživatele. - Security page on mbx store for Exchange hkcu/so/ms/Exchange/ExAdmin ShowSecurityPage = DWORD = 1 - Exchange 2003 3GB switch /3GB /USERVA=3030 kb823440 HKLM/Sy/CCS/Control/SessionManager/ HeapDecommitFreeBlockThreshold = DWORD = xxx 0x00040000 HKLM/Sy/cCS/Control/SessionManager/Memory Management SystemPages = xxx - WaitToKillServiceTimeout HKLM/Sy/CCS/Control WaitToKillServiceTimout = REG_SZ!! = 120000 - Archive folder and others for IMF for Exchange hklm/so/ms/exchange/contentFilter ArchiveDir = REG_SZ = xxx (default is ...\mailroot\vsi1\UCEArchive) ArchiveSCL = DWORD = 1 to archive SCL rating with the messages. (X-SCL: header) (also can be displayed by outlook, but requires a SCL.CFG file) IMF updates (goes into folder .../Exchsvr/Bin/MSCFV2): hklm/so/ms/exchange ContentFilterState = DWORD = 1 - RWW (remote web workplace) hklm/so/ms/smallBusinessServer/RemoteUserPortal ExcludeList = REGSZ = comma separated computer names that will not appear on the comp.list - GPRS Eurotel dns1 = 160.218.10.200 dns2 = 160.218.43.200 Pro paušál: +CGDCONT=1,"IP","internet" Pro Go: +CGDCONT=1,"IP","gointernet" smtp.etmail.cz Oskar dns1 = 217.77.161.130 dns2 = 217.77.161.131 Pro paušál: +CGDCONT=1,"IP","internet" Pro Oskartu: +CGDCONT=1,"IP","ointernet" smtp.mujoskar.cz T-Mobile dns1 = 62.141.0.1 dns2 = 62.141.0.2 +CGDCONT=1,"IP","internet.t-mobile.cz" smtp.t-email.cz - Subject Alternative Name (SAN) 1) certutil -setreg policy\editflags +EDITF_ATTRIBUTESUBJECTALTNAME 2) requestType = CMC 3) pro vice CN: ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT Other Name: 1.3.... = hodnota UPN = 1.3.6.1.4.1.311.20.2.3 GUID = 1.3.6.1.4.1.311.25.1 Other Name: 1.3.6.1.4.1.311.25.1 = ...;guid DNS Name=server1.cohovineyard.com [RequestAttributes] SAN="upn=ondra@firma.cz&guid=test" upn=ondra@firma.cz guid=100304503534 url="dddd" ipaddress=192.168.1.1 oid=15.5.5.5 dn="cn=..." dns="server.firma.cz" email="ondra@firma.cz" 1.3.6.1.4.1.311.20.2.3="ondra@firma.cz" - autoenrollment pulze pres MMC, nebo CERTUTIL. je tam 1 min. interval pro UserInit - viz. faq-logs. - POP3 Connector HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Network\POP3 Connector ScheduleAccelerator = DWORD = delič rychlosti - driver preinstallation DPINST - driver package installer DirverInstallationTools.msi - WiFi 802.1x MAC filtering Calling-station-ID in AD (je to regular expression) A1B2C3D4E5F6|A2B3C4D5E6F7 - File Transfer Manager transfers.ds.microsoft.com - web.config Tracing and Debugging - SDK active directory (AD) password change filter sample PassFilt - MIIS PCNS pridava do schema MS-MIIS-PCNS-Service MS-MIIS-PCNS-Target - GLOBAL??, ?? a DOSDEVICES Symbolic link from command line \\?\GLOBALROOT\Device\HarddiskVolume1 - .NET Framework 2.0 builds 1.1 MSBuild Extras - MSBee - Run .NET application on different framework than compile-time version EXEAppName.exe.config - LLMNR Link Local Multicast Name Resolution 224.0.0.252 UDP 5355 - SMTP check email server Email Dossier http://centralops.net/co/EmailDossier.vbs.asp - Deleted Objects, tombstone internval, phantoms LDP: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=YOURDOMAIN,DC=COM Search DN: viz http://support.microsoft.com/default.aspx?scid=kb;en-us;q258310 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters DWORD = Days per database phantom scan = 2 - FSMO attributes Attribut: fsmoRoleOwner Primary Domain Controller (PDC) FSMO: LDAP://DC=MICROSOFT,DC=COM RID Master FSMO: LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM Schema Master FSMO: LDAP://CN=Schema,CN=Configuration,DC=Microsoft,DC=Com Infrastructure Master FSMO: LDAP://CN=Infrastructure,DC=Microsoft,DC=Com Domain Naming Master FSMO: LDAP://CN=Partitions,CN=Configuration,DC=Microsoft,DC=Com Operational Attributes - are not in schema, but when written to, the change the role: becomeRidMaster becomeSchemaMaster becomeDomainMaster becomePDC becomeInfrastructureMaster - Network Location Awareness (NLA) HKLM\...\Windows NT\CV\NetworkList\ Profiles Signatures - disable IPv6 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\ DWORD = DisabledComponents = 0xFF - Domain profile FW (windows firewall) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName - QoS service types (DCSP) Differentiated Services Code Point ServiceTypeBestEffort 0x0 ServiceTypeControlledLoad 0x18 ServiceTypeGuaranteed 0x28 ServiceTypeNetworkControl 0x30 ServiceTypeQualitative 0x0 ServiceTypeTcpTraffic 0x0