Category Archives: Policy

Create Windows Task Scheduler

Posted on by
Reply

This page describes how to create a Windows task scheduler with proper user. It means that the user doesn’t need to have the unused permission. For example, console logon both locally and remotely.

  1. Press + R, type “taskschd.msc” and press Enter
  2. Create the task in the Task Scheduler as planned.
  3. Select the “Run whether user is logged on or not” radio button.
  4. Check the “Do not store password” checkbox.
  5. Check the “Run with highest privileges” checkbox.
  6. Assign the task to run under the new user account.
    1. Refer to Create a local account without console logon.

 

windows_tasksched2

Update

  1. Once “Do not store password…” ticked, you could meet an error #2147943711.

Forensically Sound Windows

Posted on by
Reply

I called “Forensically Sound Environment” as an operating system is good at logging or tracing for analysis to a specific case in terms of forensic or incident response. Here are some configurations to make forensically sound environment.

Prerequisite

  1. Sync date and time to localtime or UTC

Windows

Most of configurations are Windows artifacts. Of course, it’s included that application such as IIS, Windows Advanced Firewall ans so on, however we can’t get any evidence from them unless you set those configurations properly like forensically sound environment.

  1. EnablePrefetcher
  2. NtfsDisableLastAccessUpdate
  3. $LogFile
  4. Windows Recovery
  5. Minidump
  6. Windows Event Log
  7. WinRM service
  8. Event Tracing for Windows
  9. C:\> openfiles /local on
  10. Windows Advanced Firewall
  11. Application Log
    1. IIS
    2. Anti-Virus
    3. Adobe Reader

Linux

  1. Auditd
  2. iptables logging

Post Task

  1. Build MD5 white-list
  2. Logging remotely

I will describe about each title as above in more detail. And I’ll put the link on the title on this page. I hope that I want to make the list in question with you.

Create a local account without console logon

Posted on by
1

The goal of this manual is to assign a user to necessary privilege(s) to do the purpose. For instance, you can refer to this page when create an account for file copy, local script execution as well as ftp user.

1. Create a user as local account

  • GUI: lusrmgr.msc
  • CLI:
    • net user /ADD [username] [password]  /PASSWORDCHG:no
    • WMIC USERACCOUNT WHERE “Name='[username]'” SET PasswordExpires=FALSE

Windows Account Properties

2. The user is only included Users group

The user created just before is automatically a member of Users group. So we need to exclude the user in Users group. After that, add the user into a new group, which will be authorized to execute as a bactjob only.

  • GUI: lusrmgr.msc
  • CLI:
    1. net localgroup Users [username] /delete
    2. net localgroup CLIUsers /add
    3. net localgroup CLIUsers [username] /add

3. The user is not allowed to logon both locally and remotely

The new created group, CLIUsers, should not be allowed to log on both locally and remotely. Here is a way to check out.

Windows Local Security Policy

3.1 Locally

Check if the ‘CLIUsers’ group is allowed to log on locally. The ‘CLIUsers’ group should not be included in “Allow log on locally” policy.

  • GUI: secpol.msc / gpedit.msc
    [Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment –> Allow log on locally(로컬 로그온 허용)]

3.2 Remotely

Check if the ‘CLIUsers’ group is allowed on to log on through remote desktop services.

  • GUI: gpedit.msc
    The CLIUsers group should not be included in the remote logon right at [Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment –> Allow log on through Remote Desktop Services(원격 테스크톱 서비스를 통한 로그온 허용)]

Err Msg not allowed login

When you’re trying to logon on local console after the configuration as above, you can see the error message as below.

3.3 Allow “Log on as a batch job”

  • GUI: gpedit.msc
    Add “CLIUsers” group into “Log on as a batch job(일괄 작업으로 로그온)” at [Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment]

Now you can use the new account for a local service, such as task scheduler, in accordance with Principle of least privilege.

Why NLA is more secure than other before?!

Posted on by
Reply

RDP 연결을 위해 서버에서 필요한 설정을 하다가 다음과 같은 옵션에 대해 궁금해졌다. “네트워크 수준 인증을 사용하여 원격 데스크톱을 실행하는 컴퓨터에서만 연결 허용” 더욱이 한글버전에서는 “권장”, 영문에서는 “more secure” 라고 추가설명을 하고 있다.

윈도우_원격데스크톱_옵션

“네트워크 수준 인증(Network Level Authentication, NLA)”이란 무엇일까?! 구글링 해보면, 특정 프로그램이 세션을 만들기 전에 CredSSP (Security Support Provider) 를 이용해 사용자 인증 정보를 서버에 전달하는 것이라고 한다.

저 옵션을 켜고 껏을 때 차이점이 도대체 뭔 말인지 감이 오질 않았는데 (이 글을 읽어보고 Windows Server 2008 R2: Why Use Network Level Authentication?) 이제야 알게 된것 같다. 일반적으로 세션을 만들기 전에도 사용자의 ID/PW을 얻기 위한 화면을 생성하게 되는데, 윈도우 같은 경우 csrss.exe 와 winlogon.exe 등 다수의 리소스가 동작하게 된다. 따라서 이러한 세션이 시작하기 전에 NLA가 사용자 정보를 서버에게 보내 정말 로그인을 원하는 사용자가 세션을 요청하는 것이라고 증명하는 과정이라 할 수 있겠다.

그 밖에 *.rdp 파일을 텍스트 편집기로 열어보면 옵션들이 보이는데, 아래 두 개의 옵션이 인증과 관련있어 보인다.