Windows Server Archives - Sysadmins of the North

Windows privilege escalation guide

Jan Reilink on 22 March 2018

Ryan McFarland writes on his blog: “Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start to filter through what is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through everything hoping to find that needle in the haystack. Hopefully this guide will provide a good foundation to build upon and get you started.”

List all SPNs used in your Active Directory

Jan Reilink on 26 February 2018

There are a lot of hints & tips out there for troubleshooting SPNs, or Service Principal Names. Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out. But how do you find out which SPNs are used for which users and computers are used for this?

Important note about Windows Update KB4056892

Jan Reilink on 5 January 2018

There is another VERY IMPORTANT THING with Microsoft Meltdown patches like update KB4056892: – Customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets the following registry key:

WsusPool keeps crashing: stops again and again

Jan Reilink on 25 May 2017

Sometimes you find your WSUS server keeps crashing over and over again. WSUS is unavailable and/or the WSUS management console hangs. When you start to investigate as to why Windows Server Update Services crashes, you’ll notice the following error message being logged in the HTTPErr log files:

Merge multiple files into one new file in Windows

Jan Reilink on 16 May 2017

A quicky: if you need to merge multiple text files into one new file in Windows, you can use the copy command in cmd.exe, and here is how:

How to disable SMBv1 in Windows 10 and Windows Server

Jan Reilink on 13 May 2017

Disable SMBv1 to prevent prevent Petya/NotPetya, WannaCry/WanaCrypt0r ransomware spreading on your network. These worm viruses exploit a vulnerability in Windows Server Message Block (SMB) version 1 (SMBv1), and spread like wildfire. It is urged you disable SMBv1 in your Windows variant (Windows 10, 8.1, Server 2016, 2012 R2), and here is how if you haven’t done so yet.

How to detect ethernet network speed in Windows

Jan Reilink on 12 May 2017

Ideal for Windows Server Core or Nano: Detect the ethernet network speed using PowerShell or WMI is ideal for Windows Server Core or Nano. If you ever need to lookup the speed of your ethernet network card in Windows on the command-line, use one of the following WMIC commands on your PowerShell prompt:

Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege

Jan Reilink on 12 May 2017

Microsoft Security Advisory 4021279: Microsoft is releasing this security advisory to provide information about vulnerabilities in public .NET Core and ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications correctly.

DisableNSRecordsAutoCreation with Dnscmd

Jan Reilink on 2 May 2017

This post explains how to restrict automatic NS resource record registration in Windows Server DNS using Dnscmd. This prevents Windows Server DNS to automatically create NS records for zones that it hosts on the server.

Intrusion Detection with Windows Event ID’s

Jan Reilink on 13 September 2016

Found via cyber-ir.com: This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document!

5 Extra ways to clean up disk space in Windows Server

Jan Reilink on 16 August 2016

Disk cleanup in Windows Server 2012 (R2) using DISM is one of the most popular posts here on Saotn.org. It’s also valid for Windows Server 2016. So apparently, disk space usage is an issue on Windows Server. And that made me wonder: what more ways to clean up disk space in Windows Server are there?

Windows Server 2016 licensing model

Jan Reilink on 10 August 2016

Mark O’Shea writes on TechNet that the licensing model for Standard and Datacenter were changed with Windows Server 2016, and he introduces the changes. The information is pulled from the Windows Server 2016 Licensing Datasheet, and if you need more details you can also download the Windows Server 2016 and System Center 2016 licensing FAQ. Spoil alert (tl;dr): you’ll be paying on a core-basis, instead of per CPU.

KB3157663: Cumulative Update for Windows Server 2016 Technical Preview 5

Jan Reilink on 7 June 2016

When you’re installing Windows Server 2016 Technical Preview 5, don’t forget to install KB3157663 before installing any server roles, features, or other products. Installing KB3157663 prior to any other software will fix an error with DISM and Install-WindowsFeature, error code 0x800F081F:

KMS Migration from 2008 R2 to Windows Server 2012 R2 and KMS Activation Known Issues

Jan Reilink on 2 June 2016

How to migratie an Windows Server 2008 R2 KMS to Windows Server 2012 R2, for volume activation of Microsoft products? On a new KMS server? You don’t, apparently there is no Windows Server 2008 (R2) KMS to Windows Server 2012 R2 migration. There is no way to automatically transfer your KMS role along with the products its activating to another server. Luckily Charity Shelbourne wrote up a handy how to for this task.