Security

DNS is a protocol that lends itself to abuse because it’s largely unmonitored and unrestricted. This article explains how data exfiltration from a corporate network via DNS works and shows how to set up a working exfiltration demo with DNSteal.

This article presents two different detection types for insecure filesystem permissions on Windows endpoints: scanning for directories that are user-writable, and detecting processes that are started from user-writeable directories. Directory Scan With ListUserWriteableDirectories & SetACL My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe.

Windows Hello for Business (WHfB) stores a cryptographic key on the device. The preferred storage location is a hardware TPM module. However, if a TPM is not available, the key may be stored in the filesystem instead. It’s surprisingly hard to determine the storage location for existing Windows Hello for Business keys. This article presents a simple solution.

The recent Windows 11 announcement has created a lot of confusion due to the requirement for a trusted platform module (TPM). This article explains why your machine almost certainly has a TPM, how to check the TPM status and how to enable the TPM that comes with your CPU.

This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.

This post lists the internet communication targets of Adobe Acrobat Reader, Photoshop, and Creative Cloud. This post is a part of my application network connection monitoring series, a group of articles that explain how to analyze the network traffic of any Windows or macOS app.

This post lists the internet communication targets of Citrix Virtual Apps and Desktops (formerly XenApp/XenDesktop). This post is a part of my application network connection monitoring series, a group of articles that explain how to analyze the network traffic of any Windows or macOS app.

This post lists the internet communication targets of the Microsoft Windows operating system, including its various services and UWP apps. This post is a part of my application network connection monitoring series, a group of articles that explain how to analyze the network traffic of any Windows or macOS app.

This post lists the internet communication targets of Microsoft Office and Teams. It is a part of my application network connection monitoring series, a group of articles that explain how to analyze the network traffic of any Windows or macOS app.

This is part 1 of my application network connection monitoring series, a group of articles that explain how to analyze the network traffic of any Windows or macOS app. The communication targets of the Windows OS and of many popular apps are listed in dedicated posts.

This post is a collection of my notes about my search for secure collaboration and communication tools for smaller organizations, specifically vast limits. I will update it from time to time.

Mozilla had planned to disable the insecure versions 1.0 and 1.1 of the TLS protocol in Firefox 74. Unfortunately, they reverted that planned change. This post explains how to disable insecure TLS versions yourself.

How to centrally manage essential security settings of self-managed devices This is a guest post by Martin Kretzschmar, customer success engineer at vast limits, the uberAgent company. One thing I especially like about my everyday working life is the flexibility it offers. I appreciate the freedom of choice in terms of location, time and device. We want to avoid getting into micro-management but, being an IT company, we also need to provide the necessary security where needed.

You have probably been in this situation: on some shopping site you put an article in your cart, but decide not to buy it after all. Later on, you notice that you are getting targeted ads for the exact same product on totally unrelated sites - or so you think. There is, however, a common denominator: the ad network. It tracks you quite effectively as you move from site to site. Many people are not exactly happy about that and turn to ad blockers to guard their privacy. This article looks at one way to measure the ad blockers’ effectiveness in terms of keeping their users’ privacy.

User accounts created in Azure AD are subject to Azure AD’s password policies and restrictions, whose defaults are far from optimal. Unfortunately, the most severe shortcomings cannot currently be changed.

As the Box IPO shows enterprise cloud file synchronization & sharing (EFSS) is a hot topic. Yet the hottest vendors do not “get” security. Kryha-Chiffriermaschine, Kryha-Encryption Device by Ryan Somma under CCWhat is Cloud EFSS? Everybody knows what a file server is. It stores any kind of document an organization needs to work with. As such its importance is similar to email. A file server’s main characteristics are:

With the advent of BYO it has become fashionable to regard PCs as untrusted devices that should be isolated in a dedicated security zone. Zoning Such an approach has a big advantage: by separating clients from servers it is possible to treat them differently and potentially apply more relaxed security policies - which is a basic requirement for BYO. In a truly BYO-only environment you block everything except Citrix ICA or some other remoting procotol of choice at the firewall and life is good. In real corporate networks things are a bit more complicated, however. Say you want to isolate your managed Windows PCs. In that case you might want to be able to manage them remotely from systems outside the client security zone (e.g. from management terminal servers). And suddenly you have a problem: Windows management protocols, especially RPC and DCOM, are not exactly firewall-friendly.

It sometimes happens when I reply to an e-mail from somebody who is asking about my products that the receiving mail server rejects my message with the code “554 rejected due to spam content”.

Due to the strict permissions on the System Volume Information directory finding out its true size is not easy. Explorer is really bad at such things. It definitely was not made for administrative tasks. It displays the directory size as zero bytes:

This article is part of my small series about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution. AppLocker and UAC One of the default rules allows unrestricted application execution for administrators. That is only sensible. After all, someone needs to be able to troubleshoot and perform maintenance. However, if UAC is enabled, that rule is not very useful. Remember: UAC filters the SID for the group Administrators from the access token during normal operation. With the Administrators’ SID gone, AppLocker is active for administrators in the same way it is for all other users. Administrators wishing to bypass AppLocker need to start executables from an elevated command prompt (or right-click and select run as administrator), which is often impractical.

This article is part of my small series about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution. AppLocker Security There is no perfect security, every product has its vulnerabilities and AppLocker is no exception. These are the problems I am aware of.

This is the first in a small series of articles about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution. Requirements AppLocker works on:

A while ago I wrote about the dangers of using unencrypted Wi-Fi networks. Right now I am connected to such a network and trying hard not to give away authentication cookies or passwords - information that would make it trivial even for amateurs to take over one or several of my accounts.

Among the many security options that are configurable via Group Policy, there is a setting Interactive logon: Require Domain Controller authentication to unlock workstation. For security reasons, this is often enabled. Let’s have a closer look at the implications. Those are different from what one might think because the name is a little misleading.