There's lot on the web regarding passwords and what they should consist of. There are plenty of sites that also validate the strength of a would-be password. But do those sites make useful suggestions??? Let's find out. But first what makes a stronger better password? Clearly, the longer and the more types of characters used the better. However creating a password from a word and substituting letters for numbers is not advisable, password cracking tools cater for this behaviour and adding numbers to the end of a word. Password, Pa$$word, P455word, Password1234 are some truly awful examples of what's bad. The following table shows the top sites from google search results. So I decided to test those sites. Passwords of varying complexity were entered and the results are below. The colour coding depicts how well the site did with a given password. Red is bad, Yellow is okish and Green is good. As you can see some sites believe that 'Password1234' will take 10,000 years to crack. Of the sites tested only 'https://www.my1login.com' provided realistic results for known passwords. I'm not sure of the validity of 'sokv3sHMqdCgUB' taking 27 trillion years to crack, it's based on A to Z upper and lower case characters and numbers. 'https://password.kaspersky.com/' rates the password and validates it against known password lists. Interestingly Kaspersky rated 'sokv3sHMqdCgUB' higher than ''u%L~C3|u^@ LT'. We know not to trust sites to validate the strength of passwords and have an idea of what is acceptable, and what's a bad password. So the advice is mixed and managing the type and number of complex passwords required is a massive nightmare. My suggestion is to delegate the task to a program designed to generate passwords, personally, I use Keepass all my passwords look something like the following 'L$e(`}0}*MmhtKm(WBrY' or '0iJqhzxlMv81mU6ARnVf', both are 20 characters. Some sites don't support the additional special characters and an alternative A to Z and Number password is needed. Simple, right!!! Not really, Kaspersky collects password lists and by the looks of it, many thousands of password lists. Many of those lists will be from sites and companies that have been hacked and their passwords uploaded to the Internet. Visit 'https://www.avast.com/hackcheck', it's the same as 'https://haveibeenpwned.com/' but better, no signing up and Avast delivered an email with the sites and associated passwords. It's never simple and there's a 'but'. Companies that have been hacked try and hide the fact or simply don't know for extended periods. Your password or encrypted password could be out in the wilds and you may never know, undermining the long complex Keepass passwords. What to do.... 2 Factor Authentication..... what the......Don't panic it's not that bad..... If your Android user downloads 'Google Authenticator'. For any site that provides email, financial or social media enable 2FA. When you log on the password is entered and a rotating 6-digit pin from the phone is entered. If your password is compromised the hacker won't have the second part of the authentication to logon. Hopefully, an alert will be sent to your email address informing you of an unsuccessful login attempt, providing time to change the password. In these connected times, it's important to secure your online presence as much as you secure your personal possessions with locks on the doors. Of course, burying your head can be an alternative plan, however, I belong to the tin hat brigade and tend to secure everything to the point it stops being useful ;)

Apparently, the wife reckons it does, but she could be having a dig..... This is a bit of fun, nothing scientific, does the size of the wifi antenna matter? The laptop is the Asus Zenbook 301LA with an internal wifi adapter vs the Alfa AWUS036AC USB wifi adapter The tests will comprise of running 'nmcli dev wifi' for the internal adapter and Alfa with 18cm and 36cm antenna's. Internal - top-rated signal strength is 65 and 17 SSID's Alfa 18cm Antenna - top-rated signal strength 3 * 100 and 24 SSID's Alfa 36cm Antenna - top-rated signal strength 2 * 100 and 26 SSID's. The Alfa ran rampant over the internal adapter with both increased signal strength and range (visible AP's). Surprising the Alfa 18cm antenna beat the 36cm antenna for top signal strength. However, 14 SSID's were above 51 for the 36 cm antenna whereas only 8 are listed for the 18cm antenna. Interestingly the internal adapter showed a connection speed of 115Mbs and the Alfa 144Mbs on the network settings. The wife is correct, size does matter, she ain't going to let this go. Although the 18cm antenna holds the outright top signal strength the 36cm antenna has further reach and lists more SSID's. The internal wifi adapter is rubbish, as I said this is not scientific.... It's definitely advantageous to use a dedicated external USB wifi adapter, speed and range are improved. Would I sit in a coffee shop with that monstrosity sticking out of my laptop when I'm trying to look inconspicuous......

For the past 5 or 6 years local Applocker policies have been created with Powershell scripts and since Jan 2021 (ish) importing and merging .xml files produced the following error with the following command: Set-AppLockerPolicy -XmlPolicy "C:\Secure10\Applocker\Enforce.xml" -Merge Set-AppLockerPolicy : The specified rule collection already exists in the policy. At line:1 char:1 + Set-AppLockerPolicy -XmlPolicy "C:\Secure10\Applocker\Enforce.xml" -M ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Set-AppLockerPolicy], RuleCollectionAlreadyExistsException + FullyQualifiedErrorId : Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.RuleCollectionAlreadyExistsException,Microsoft.Security.App licationId.PolicyManagement.Cmdlets.SetAppLockerPolicyCmdlet Fresh installation of Windows 10, deploy the PS script and import local policies without issue. Merge can be executed multiple times for all the xml files that PowerShell has generated. Same client, commands and policies but updated and merge won't work.... This issue is one for Microsoft to resolve and once an answer is forthcoming I'll post it. Has anyone else experienced the same problem?

Creating a simple web report with PowerShell doesn't need to be a chore, there are limitations and it's definitely not a proper HTML editor. It doesn't mean the output should look shoddy. Like many, I'm using PowerShell to analyse Windows and display the results. The screen grab below is a section of a report I'm currently working on and soon to be published. The script is a comprehensive vulnerability assessment written entirely in PowerShell and made to look pretty without trawling through copious amounts of log outputs. This blog will cover the basics of taking PowerShell objects from various sources and creating HTLM output. It's not difficult, just fiddley, a couple of different techniques to successfully convert PowerShell to HTML may be required. Before everyone gets critical regarding the script formatting, some are due to how ConvertTo-HTML expects the data, most are to help those that aren’t familiar with scripting. There is a conscious decision not to use aliases or abbreviations and where possible to create variables. #Set Output Location Variables Nothing challenging here, creates a working directory, and sets the variable for the report output. Tests the existence of the path and if doesn’t exist creates the directory structure. $RootPath = "C:\Report" $OutFunc = "SystemReport" $tpSec10 = Test-Path "$RootPath \$OutFunc\" if ($tpSec10 -eq $false) { New-Item -Path "$RootPath \$OutFunc\" -ItemType Directory -Force } $working = "$RootPath \$OutFunc\" $Report = "$RootPath \$OutFunc\"+ "$OutFunc.html" #HTML to Text Keep it simple, create a variable and add some text. This is the one that ought to be straightforward and ended up being a bit of a pain. The conversion to HTML ended up producing garbage. Google gave some interesting solutions…. The fix I discovered turned out to be super simple. The fragment needs to be set as a ‘Table’ and not a ‘List’. Doh….. $Intro = "The results in this report are a guide and not a guarantee that the tested system is not without further defects or vulnerabilities." #Simple WMI This is a report about Windows, had better collect some wmi attributes. There are 2 methods, dump the attributes into a variable and process them later. Or create a variable for each required attribute and hashtable the data, the latter is a lot of effort. $hn = Get-CimInstance -ClassName win32_computersystem $os = Get-CimInstance -ClassName win32_operatingsystem $bios = Get-CimInstance -ClassName win32_bios $cpu = Get-CimInstance -ClassName win32_processor #Foreach and New-Object. Now life starts to get interesting. The date format needs updating from “23/11/2021 00:00:00” to “23/11/2021” to maintain the formatting a ‘foreach’ is required to strip out the additional characters per line, then added to an array. Under normal circumstances, the red code snippet would suffice. Foreach ($hfitem in $getHF) { $hfid = $hfitem.hotfixid $hfdate = ($hfitem.installedon).ToShortDateString() $hfurl = $hfitem.caption $newObjHF = $hfid, $hfdate,$hfurl $HotFix += $newObjHF } When dealing with HTML the correct method requires the use of ‘New-Object’ command. $HotFix=@() $getHF = Get-HotFix | Select-Object HotFixID,InstalledOn,Caption Foreach ($hfitem in $getHF) { $hfid = $hfitem.hotfixid $hfdate = $hfitem.installedon $hfurl = $hfitem.caption $newObjHF = New-Object psObject Add-Member -InputObject $newObjHF -Type NoteProperty -Name HotFixID -Value $hfid Add-Member -InputObject $newObjHF -Type NoteProperty -Name InstalledOn -Value ($hfdate).Date.ToString("dd-MM-yyyy") Add-Member -InputObject $newObjHF -Type NoteProperty -Name Caption -Value $hfurl $HotFix += $newObjHF } #Pulling Data from the Registry Registry keys require the ‘Get-ChildItem’ followed by ‘Get-ItemProperty’ to extract the individual settings from the Registry Hive. Each setting is then assigned to a variable. $getUnin = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" $UninChild = $getUnin.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:") $InstallApps =@() Foreach ( $uninItem in $UninChild) { $getUninItem = Get-ItemProperty $uninItem $UninDisN = $getUninItem.DisplayName -replace "$null","" $UninDisVer = $getUninItem.DisplayVersion -replace "$null","" $UninPub = $getUninItem.Publisher -replace "$null","" $UninDate = $getUninItem.InstallDate -replace "$null","" $newObjInstApps = New-Object -TypeName PSObject Add-Member -InputObject $newObjInstApps -Type NoteProperty -Name Publisher -Value $UninPub Add-Member -InputObject $newObjInstApps -Type NoteProperty -Name DisplayName -Value $UninDisN Add-Member -InputObject $newObjInstApps -Type NoteProperty -Name DisplayVersion -Value $UninDisVer Add-Member -InputObject $newObjInstApps -Type NoteProperty -Name InstallDate -Value $UninDate $InstallApps += $newObjInstApps } #Cascading Style Sheets (CSS) To apply a consistent style to each element we use a CSS containing text size, colour and font as well as spacing and background colours. Each style, for example 'h1' has a set of properties that applies to any number of elements tagged "variable or text". reducing repeat lines of code required, updating the CSS and all elements receive the change. CSS Tutorial (w3schools.com) is a good resource to learn and try out CSS. In the example below h1, h2 and h3 set different sized fonts and colours. $style = @"

Thousands of files, no structure, let's get them organised into months and years with PowerShell. Duplicates are moved to another directory for review. This script was written in response to trying to manage the 10’s of thousands of photos and videos being uploaded to a file share each year. Management is near impossible with Synology’s DS Photo Android App automatically uploading new photo’s to the root of the share. Plus any taken with cameras or other mobiles were also dumped into the same share. A bit of a mess. For the purposes of testing and this blog, a Data directory was created off the root of C:\. A few hundred photos and videos have been dumped… oops… copied into the folder. The files were copied to create duplicates. Download the 'hash and then sort by month' script from @ Tenaka/FileSystem (github.com) Open PowerShell_ise and browse to the downloaded script. Update the $path variable, Ctrl + A and then F8, sit back and wait for the files to be organised. On a serious note, please don't run this without testing. So what does it do: All files are compared based on their file hash to find all duplicates. Duplicate file names are amended to include an incremental number preventing potential loss of data with files overwriting each other. Files that aren't duplicates are moved based on their creation date to Year\Month directory.

Labs don't tend to follow the best practices or any security standards, they're quick dirty installations for developing and messing around. Here's some food for thought the next time you're wanting to test Applocker or Windows Defender Application Control (WADC) aka Device Guard, you may wish to at least patch. For the most part, deploying Domain Infrastructure, scripts and services works great, until Device Guard is deployed to an unpatched Windows 11 client. Firstly the steps on how to configure Device Guard, then the fun... DeviceGuardBasic.ps1 script can be downloaded from (here). Run the script as Admin and point the Local GPO to Initial.bin following the help. Device Guard is set to enforced, no audit mode for me, that's for wimps, been here hundreds of times......what's the worse that can happen..... arrghhhhh. The first indication Windows 11 had issues was 'Settings' crashed upon opening. This isn't my first rodeo, straight to the eventlogs. Ah, a bloodbath of red Code Integrity errors complaining that a file hasn't been signed correctly. How could this be.... the files are Microsoft files. This doesn't look good, the digital signature can't be verified meaning the signing certificate isn't in the Root Certificate Store for the Computer. This is not the first time I've seen the 'Microsoft Development PCA 2014' certificate. A few years back a sub-optimal Office 2016 update prevented Word, PowerPoint and Excel from launching. It was Applocker protecting me from the Microsoft Development certificate at that time. Well done Microsoft, I see your test and release cycle hasn’t improved. A Windows update and all is fine….right.....as if. I'm unable to click on the Install updates button, it's part of Settings and no longer accessible. Bring back Control Panel. No way I’m waiting for Windows to get around to installing the updates by itself. The choices: Disable Device Guard by removing the GPO and deleting the SIPolicyp7b file. Create an additional policy based on hashes. Start again, 2 hours effort, most of that waiting for updates to install. Creating an additional policy based on hashes and then merging them into the ‘initial’ policy allows for testing Device Guard's behaviour. Does Device Guard prevent untrusted and poorly signed files from running when hashes are present? Observed behaviour is for Device Guard policy to create hashes for unsigned files as a fallback. The new and improved Device Guard script, aptly named 'DeviceGuard-withMerge.ps1' can be downloaded from (here). The only additional lines of note are the New-CIPolicy to create only hashes for the “C\Windows\SystemApps” directory and to merge the 2 XML policy files. New-CIPolicy -Level Hash -FilePath $HashCIPolicy -UserPEs 3> $HashCIPolicyTxt -ScanPath "C:\Windows\SystemApps\" Merge-CIPolicy -PolicyPaths $IntialCIPolicy,$HashCIPolicy -OutputFilePath $MergedCIPolicy The result, 'Settings' now works despite Microsoft's best effort to ruin my day. Creating Device Guard policies based on hashes for files incorrectly signed by Microsoft's internal development CA is resolved. Below is the proof, 'Settings' is functional even with those dodgy files. Conclusion: This may come as a shock to some….. Microsoft does make mistakes and release files incorrectly sighed… shocking. Device Guard will allow files to run providing the hashes are present even when incorrectly signed. Did I learn something, hell yeah! always patch before deploying Device Guard or Applocker. The time spent faffing resolving the issue far exceeded the time it would have taken to patch it in the first place.

Ever wondered or needed to know where all those network connections originate from or terminate in an IP packet trace without querying individual IPs??? Wireshark can provide a map either from a Wireshark packet capture or an import from another source eg Zyxel Firewall, producing the lovely-looking map below. This is the standard log output from a Zyxel, nothing exciting, honest. Ignore 192.168.0.247 attempting to establish a UDP port 500 Isakmp to somewhere not local to query time. Enable a packet capture from the Diagnostic section and capture, add at least the external facing port, wan1. Once the capture has run for a while, stop and then export the files to the local computer where Wireshark is installed. Sign up to MaxMind.com, it's free to download the GeoLite2 Geo Data. https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en At the bottom of the 'Products' list select 'GeoLite2 Free Geolocation Data' or click the link below. https://www.maxmind.com/en/accounts/699472/geoip/downloads Download the 3 zip files, GeoLite2 ASN, GeoLite2 City and GeoLite2 Country. Unpack and more to a common directory. Open Wireshark, File, Open and select the Zyxel packet capture to import. To import the Geo-Location data, select 'Edit' then 'Preferences'. Select 'Name Resolution' and scroll to the bottom of the page. Select 'Edit' for MaxMind Database Directories. Set the location for the unpacked files. To view the map, select 'Statistics' then 'Endpoints'. Select IPv4 or a tab with a number. At the bottom of the page, select 'Map' and then 'Open in Browser'. That's it.... done

On a previous blog (here), LAPS (Local Administrator Password Solution) was installed. LAPS manages and updates the local Administrator passwords on clients and member servers, controlled via GPO. Only Domain Admins have default permission to view the local administrator password for clients and member servers. Access to view the passwords by non-Domain Admins is via delegation, here lies the problem. Access to the local administrator passwords may be delegated unintentionally. This could lead to a serious security breach, leaking all local admin accounts passwords for all computer objects to those that shouldn't have access. This article will demonstrate a typical delegation for adding a computer object to an OU and how to tweak the delegation to prevent access to the ms-Mcs-AdmPwd attribute. #Prep Work There is some prep-work, LAPS is required to be installed and configured, follow the above link. At least 1 non-domain joined client, preferably 2 eg Windows 10 or 11 Enterprise. A test account, mine's named TestAdmin, with no privileges or delegations and an OU named 'Workstation Test'. Ideally, I'll be using AD Groups and not adding TestAdmin directly to the OU, it's easy for demonstration purposes. #Delgation of Account Open Active Directory Users and Computers or type dsa.msc in the run command. With a Domain Admin account right-click on 'Workstation Test' OU, Properties, Security Tab and then Advanced. Click Add and select the TestAdmin as the principal. Select, Applies to: This Object and all Descendant Objects In the Permission window below select: Create Computer Objects Delete Computer Objects Apply the change. This is a 2 step process, repeat this time selecting. Applies to: Descendant Computer Objects Select Full Control in the Permissions window. #Test Delegation Log on to a domain workstation with RSAT installed and open Active Directory Users and Computers. Test by pre-creating a Computer object, right-click on the OU and select New > Computer, and type the hostname of the client to be added. Log on to a non-domain joined Windows client as the administrator and add to the domain using the TestAdmin credentials, reboot. Then wait for the LAPS policy to apply.......I've set a policy to update daily. #View the LAPS Password As the TestAdmin, from within AD Users and Computers go to View and select Advanced. Right-click properties on the client, select the Attribute tab Scroll down and locate 'ms-Mcs-AdmPwd', that the Administrator password for that client. #The Fix.... To prevent TestAdmin from reading the ms-Mcs-AdmPwd attribute value, a slight amendment to the delegation is required. As the Domain Admin right-click on 'Workstation Test' OU, Properties, Security Tab and then Advanced. Select the TestAdmin entry, it should say 'Full Control'. Remove 'All Extended Rights', 'Change Password' and 'Reset Password' and apply the change. As TestAdmin open AD Users and open the Computer attributes. ms-Mcs-AdmPwd is no longer visible. #Did I Just Break Something...... Test the change by adding a computer object to the OU and adding a client to the domain. Introducing computers to the domain is functional... No harm no foul. #Final Thoughts Removing the Extended Rights and Password permissions prevents the delegated account from reading the local administrator password from ms-Mcs-AdmPwd AD attribute without causing any noticeable problems. Watch for any future delegations ensuring the permissions aren't restored by accident. Enjoy and hope this was insightful.

The best methods for deploying Windows are SCCM and then MDT, hands down. However what if you don't have either deployment service..... no seriously...... Despite the step-by-step guides and the script to deploy MDT in 45 minutes (here) some still chose to manually deploy or clone Windows, maybe they haven't progressed past RIS either..... Question is, can Windows 10 and a host of applications including Office be automated without fancy tooling? The following isn't pretty, there are issues that MDT and SCCM just make disappear, I'm not happy with issues...period. It's a faff and takes way more time prep, is less functional and is only a benefit if there are more than a couple of Windows clients to deploy. Should it ever be done, there may be some limited scenarios, my suggestion, use the correct deployment services designed for deploying Windows. #Pre-requisites 16Gb USB3 as a minimum, preferably 32Gb Windows 10 media MS Office 2019 Chrome, MS Edge, Visual C++, Notepad++ Windows ADK #Windows Media Download Windows 10 ISO and double click to mount as D:\ Create a directory at C:\ named "Version of Windows" eg C:\Windows21H2\. Don't copy the contents of D:\ directly to the USB due to install.wim being larger than the permitted supported file size for Fat32, greater than 4Gb. Copy the files from D:\ (Windows ISO) to C:\Windows21H2\ Split install.wim into 2Gbs files to support Fat32. Dism /Split-Image /ImageFile:C:\Window21H2\sources\install.wim /SWMFile:C:\Window21H2\sources\install.swm /FileSize:2000 Delete C:\Window21H2\sources\install.wim. Insert USB pen and format as Fat32, in this case, it will be assigned as E:\ Copy the entire contents from C:\Windows21H2\ to E:\. #Applications Create directory E:\Software, this is the root for all downloaded software to be saved to. Create the following sub-directories under E:\Software, and download the software to the relevant sub-directory. 7Zip & cmd.exe /c 7z2107-x64.exe /S Chrome & cmd.exe /c msiexec.exe /i GoogleChromeStandaloneEnterprise64.msi /norestart /quiet Drivers & cmd /c pnputil.exe /add-driver Path/*.inf /subdirs /install MS-VS-CPlus & cmd.exe /c vcredist_x86_2013.exe /S MS-Win10-CU & cmd /c wusa.exe windows10.0-kb5011487-x64.msu /quiet /norestart MS-Win10-SSU & cmd /c wusa.exe ssu-19041.1161-x64.msu /quiet MS-Edge & cmd.exe /c msiexec.exe /i MicrosoftEdgeEnterpriseX64.msi /norestart /quiet MS-Office2019 & cmd.exe /c MS-Office2019\Office\Setup64.exe NotepadPlus & cmd.exe /c npp.8.3.3.Installer.x64.exe /S TortoiseSVN & cmd.exe /c msiexec.exe /i TortoiseSVN-1.14.2.29370-x64-svn-1.14.1.msi /qn /norestart WinSCP & cmd.exe /c WinSCP-5.19.6-Setup.exe /VERYSILENT /NORESTART /ALLUSERS I've provided the unattended commands with an extension, its important the correct file type is downloaded for the script to work correctly. Place any driver files in the 'Drivers' directory unpacked as *.inf files. #AutoUnatteneded Download ADK for Windows (here). Install only the 'Deployment Tools'. From the Start Menu open 'Windows System Image Manager' and create a 'New Answer File' and save it to the root of the E:\ (USB), name the file 'AutoUnattend.xml'. I cheated at this point, didn't fancy creating the AutoUnattend.xml from scratch, so I "borrowed" a pre-configured unattend.xml from MDT. To save you the pain download the 'AutoUnattend.xml' from Github (here). Save to the Root of E:\ (USB). Within the autounattend.xml the following line is referenced to execute 'InstallScript.ps1' at first logon. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file D:\software\InstallScript.ps1 Not that the PartitionID is '3' and the InstallFrom is updated from 'install.wim' to 'install.swm'. OnError 0 3 install.swm To select a different edition, the default is Education to run the following command with Admin rights. dism /Get-WimInfo /WimFile:"d:\sources\install.wim" Index : 1 Name : Windows 10 Education Description : Windows 10 Education Index : 2 Name : Windows 10 Education N Description : Windows 10 Education N Index : 3 Name : Windows 10 Enterprise Description : Windows 10 Enterprise Index : 4 Name : Windows 10 Enterprise N Description : Windows 10 Enterprise N Index : 5 Name : Windows 10 Pro Description : Windows 10 Pro Edit the AutoUnattend.xml and update the MetaData value under OSImage to reflect the desired index value. #The Script Download 'InstallScript.ps1' from (here) and save it to E:\Software. #A Brief Script Overview The first action is to copy the Software directory to C:\ so it can be referenced between reboots. The script adds Registry settings to Autologon as 'FauxAdmin' with a password of 'Password1234'. I strongly suggest changing the hardcoded password to something more secure. Warning: During the installation of Windows it prompts for a new account to ensure it reflects the hardcoded name and password in the InstallScript.ps1 'FauxAdmin', 'Password1234'. A Scheduled Task is added that will execute at logon with 'FauxAdmin'. The default hostname is Desktop-####, you'll be asked to enter a new hostname. Pre-Create a Computer object in AD, with the planned hostname of the client being deployed. Domain credentials will be required with delegated permissions to add computer objects to the domain. Update the InstallScript.ps1 with the correct FQDN and OU path $DomainN = "trg.loc" $ouPath = "OU=wks,OU=org,DC=trg,DC=loc" Windows 10 CU and Apps will install with various reboots. A bit of a tidy to remove the AutoLogon and Scheduled Task and then a final reboot. To prevent an attempted re-installation or repeat an action a 'check.txt' file is updated at the end of each step. If validated $true then the step will be skipped. #Deployment Boot PC and enter Bios\UEFI. Set UEFI to boot or initial boot to USB, F10 to save and exit. Insert USB and boot. Setup will start and prompt for disk partitioning, delete the volumes and create new default partitions. OK, Cortana. Create an account of 'fauxadmin' + 'Password1234' - these account details are hardcoded in the script. At initial logon, the PowerShell will launch. The process is completed when the client has been added to the domain and rebooted. Warning. Now reset the FauxAdmin account's password, don't forget it's hardcoded in the script and could allow an attacker to gain access if the password isn't updated. #Notes: The unattended disk partitioning proved to be unreliable and required manual intervention some of the time. This step is now manual. It is assumed that the USB during deployment will map to D:\ this is hardcoded for the Scheduled Task. Hiding Cortana resulted in removing the prompt for a new admin account, it's considered a security benefit to create a new admin account and disable Administrator with SID 500.

<# .Synopsis Disable Admin Account and Sets Random Password ​ .Description ​ .Version #> #Password length $length = 20 ​ #Minimum number of symbols to use in the password #Do not set to high as this will remove complexity and make passwords easier to compromise $random = 5 ​ #Creates random password $assembly = Add-Type -AssemblyName system.web $randPass = [System.Web.Security.Membership]::GeneratePassword($length,$random) ​ #Var for Administrator Account $admin = "Administrator" ​ #Sets Administrator password net user $admin $randPass /YES #Disable Administrator account net user $admin /active:yes ​

​To set a time server by either IP or fqdn for non-domain joined clients. ​ For instructions on how to deploy from MDT (here) <# .Synopsis Set Time Server for non-domain joined clients (0x8) to fqdn's address ​ .Description ​​ .Version #> ​ Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' -name NTPServer -Value "pool.ntp.org time.windows.com,0x8 time.google.com,0x8 " -Force ​ ​ <# .Synopsis ​Set Time Server for non-domain joined clients (0x8) to time server IP address ​ .Description ​​ .Version #> Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' -name NTPServer -Value "192.168.0.10,0x8 192.168.0.11,0x8" -Force

It's standard for applications services to run with System. In many cases, this is excessive and leaves the Operating System vulnerable to escalation attacks particularly if there is an unquoted path or an unpatched vulnerability. ​ The following is a script deployable from MDT or SCCM for use on standalone and domain-joined systems. It's when the service account doesn't require a domain account but benefits from the least privilege and randomized passwords. The script creates a service account without any elevated privileges and adds to the 'Logon as Service' Right and then updates the Windows Service for the targeted application. ​ The password for each svc account is unique to prevent one compromised password from allowing all systems with that account and password combination to be compromised. Passwords are not written out to disk, otherwise its possible recover the files and password with recovery tools. ​ The github script is downloadable from (here) <# .Synopsis Update a Windows Service that is using system to a non-priv user account .Description List the service account name and name of the Windows Service to be updated. ​ Create the User account and strip out Local User group so its not interactive, set a randomized password ​ Update the Service with account and password ​ Export and update User Rights Assignments for the Service Account to have 'Logon as a Service' right .Version #> #List of Service Accounts (svc_) and the application the svc_ will run as a service $svc1 = @{"svc_splunk" = "splunk"} $svc2 = @{"svc_account2" = "Application2"} $svc3 = @{"svc_account3" = "Application3"} ​ $svcUsers = $svc1, $svc2, $svc3 ​ #Create Service Account, randomised password #Find Windows Service and update to use Service account foreach ($svcAcc in $svcUsers) { #Svc Account $svcAccount = $svcAcc.Keys #Application Name $appName = $svcAcc.Values ​ #Password length $length = 12 ​ #Number of random characters $random = 3 ​ #Creates complex random password for each svc account $assembly = Add-Type -AssemblyName system.web $randPass = [System.Web.Security.Membership]::GeneratePassword($length,$random) ​ #Create svc account with randomized password and unable to change own password. net user $svcAccount $randPass /PASSWORDCHG:NO /ADD /YES ​ #remove user group so its a service account and not able to interactively logon net localgroup users $svcAccount /DELETE ​ #if account needs access to read security events, normally if service account event forwards to SIEM if ($svcAccount -eq "svc_splunk") { #add to eventlog users group to read security event logs net localgroup "Event Log Readers" $svcAccount /ADD } #sets password to never expire WMIC useraccount where "Name='$svcAccount'" SET PasswordExpires=FALSE ​ #get the Windows Service based on the name of the listed App $svcName = gwmi Win32_service -Filter "name='$appName'" ​ #Update Windows Service so the svc account and password replace system service $svcNAme.change($null,$null,$null,$null,$null,$false,".\$svcAccount",$randPass) } #Hostname $hn = hostname ​ #Create new folder to export security template to $path = "C:\Logs\Services" New-Item $path -ItemType Directory -Force ​ #Export Security Settings inc User Rights Assignments with secedit.exe secEdit.exe /export /cfg $path\currentTemplate.inf ​ #List the current user account SID's for 'Logon as a service' $logonAsRight = Select-String $path\currentTemplate.inf -Pattern "SEServiceLogonRight" $origSids = $logonAsRight.Line ​ #Create an empty Template Add-Content -Path $path\newTemplate.inf -Value '[Unicode]' Add-Content -Path $path\newTemplate.inf -Value 'unicode=YES' Add-Content -Path $path\newTemplate.inf -Value '[System Access]' Add-Content -Path $path\newTemplate.inf -Value '[Event Audit]' Add-Content -Path $path\newTemplate.inf -Value '[Registry Values]' Add-Content -Path $path\newTemplate.inf -Value '[version]' Add-Content -Path $path\newTemplate.inf -Value 'signature="$CHICAGO$"' Add-Content -Path $path\newTemplate.inf -Value 'Revision=1' Add-Content -Path $path\newTemplate.inf -Value '[Privilege Rights]' ​ #array for new service accounts and their sids $svcSid=@() foreach ($svcAcc in $svcUsers) { #Service Account $svcAcc = $svcAcc.Keys ​ #Application Name for Service $appName = $svcAcc.Values ​ #new object for each service account $objUser = New-Object System.Security.Principal.NTAccount("$hn\$svcAcc") $strSid = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $svcSid += $strSid.Value } #take original sids and add to new list of sids $sidOld =@() $sidOld += $origSids ​ #combined list of sids foreach ($svc in $svcSid) { $sidCombine += ",*$svc" } ​ #foreach sid add to the newTemplate.inf foreach ($sidIndi in $sidCombine) { Add-Content -Value $sidIndi -Path $path\newTemplate.inf -NoNewline } ​ #Run the SecEdit command to import the all accounts and add to Logon as a Service. secedit.exe /configure /db $path\secEdit.sdb /cfg $path\newTemplate.inf /log $path\newTemplate.log ​