Showing posts with label Group Policy. Show all posts
Showing posts with label Group Policy. Show all posts

"gpupdate" vs "gpupdate /force" & Group Policy Processing Order

gpupdate vs gpupdate /force

 
Microsoft Windows Group Policy refresh can be manually using the command "gpupdate". There is a option called "/force". The difference between both is:
  • gpupdate = if there are not changes, we dont change anything
  • gpupdate /force = reapply all settings eventhough nothing has changed; changes are immediatly applied

Source: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpupdate

Group Policy Processing Order

With this keep in mind the group policy processing order, in which the group policies are applied to windows:
  1. At first Local Group Policies are applied
  2. Second comes the Site Group Policies
  3. Third are the Domain Group Policies
  4. Final are the OU Group Policies (If there are multiple OUs, they are applied top to down)
Sources: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc785665(v=ws.10)?redirectedfrom=MSDN & https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757050(v=ws.10)?redirectedfrom=MSDN
at 1 comment:
Labels: , ,

Account Lockout Policy - A possible threat

Most companys use an account lockout policy for their directory service like Microsoft Active Directory, LDAP-system, eDirectory or their own environment solution. Locking out accounts is helpful when it comes to password guessing attacks like brute force (https://attack.mitre.org/techniques/T1110/) or similar ones.

However: An attacker is able to use lockout policies, too.

The following scenario is not so old, but was already used in the last two years:
1. Attacker gains access to environment
2. Attacker creates its own administrative accounts
3. Attacker brute forces all other administrative accounts
👉This way, the attacker makes sure, that all legitime administrators are locked out.

This is an advanced threat and a not very common attack, yet. The solution for this is to make sure, that not all accounts are affected by the lockout policy. Instead very few dedicated emergancy accounts, which are normally not used and stored in a safe location, should be excluded from it. Those accounts (as all administrative accounts) should be monitored closely in your SIEM or logging systems.
at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)

Monitor UniFi WLAN Access Point with PRTG with SNMPv3 Auth+Encrypted

This is a tiny guide howto monitor your UniFi wireless accesspoint, in this case a Unifi U7 pro with SNMPv3 with AES-Encryption and SHA-Auth...