Skip to content
Technote
Search for:
Search
Home
Microsoft
EMS MDM
Windows Fundamental
Windows Server
Powershell
Group Policy
Cisco
Web
Linux
Networking
Networking
Cyber Security
Web Coding
CATEGORIES
Microsoft
Microsoft Server and Related exames
READ MORE
Networking
Networking, Cisco, Juniper, security
READ MORE
Coding
Hosting, database, Python, WordPress
READ MORE
Security
Penetration test and defend
READ MORE
Linux
Releash the power of Penguin
READ MORE
Database
There are enough fishes here~
READ MORE
Latest posts
MS IIS server (Web server)
March 15, 2023
Updated on 2023-03-15 IIS 10.0 version 1809 is the latest version of Internet Information Services (IIS) which shipped with the Windows 10 October 2018 Update and Windows Server 2019. Configuration file ApplicationHost.config This file is the root file of the configuration system when you are using IIS 7 and above. It includes definitions of all sites, applications, virtual directories and application pools, as well as global defaults for the web server settings, which means it controls the server itself. The location of the file is currently in the %windir%\system32\inetsrv\config directory. web.config Web.config file control configurations at the site and application levels....
Read more...
Get user last login [Azure, Intune]
February 9, 2023
We may need to get a list of the user with older passwords than we expecting. Use below script to get a report about the password age. ##Test if you are logged in. function MSOLConnected { Get-MsolDomain -ErrorAction SilentlyContinue | out-null $result = $? return $result } Import-Module MSOnline if (-not (MSOLConnected)) { Connect-MSOLService } $Students_BYOD = Get-ADUser -Filter * -SearchBase “OU=2026,OU=Students,OU=Users,DC=curric,DC=your_company,DC=com” $time_limit=(get-date).Date.AddDays(-68) foreach($student_BYOD in $Students_BYOD){ Get-MsolUser -UserPrincipalName $student_BYOD.userPrincipalName | select userprincipalname,LastPasswordChangeTimestamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}} | Where-Object { $_.LastPasswordChangeTimeStamp -lt $time_limit} | Export-CSV D:\tmp\LastPasswordChange.csv -NoTypeInformation -Append }...
Read more...
Cisco CME Troubleshooting
February 2, 2023
To show debug message on telnet/ssl session: terminal monitor Common commands to troubleshoot sip: debug ccsip: This has various options, debug ccsip all: This command enables all ccsip type debugging. This debug command is very active, you should use it sparingly in a live network debug ccsip calls: This command displays all SIP call details as they are updated in the SIP call control block. You can use this debug command to monitor call records for suspicious clearing causes. debug ccsip errors: This command traces all errors that are encountered by the SIP subsystem. debug ccsip events: this command traces event, such as call setups, connections and disconnections. An events version of a debug command is often the best place to start because detailed debugs provide much useful information. debug ccsip info: This command enables tracing of general SIP security parameter index (SPI) information, including verification that call redirection is disabled. debug ccsip media: This command enables tracing of SIP media streams debug ccsip messages: This command shows the headers of SIP messages that are exchanged between a client and a server. debug ccsip preauth: This command enables diagnostic reporting of authentication, authorization, accounting (AAA) for SIP calls. debug ccsip states: This command displays the SIP states and state changes for sessions within the SIP subsytem. debug ccsip transport: This command enables tracing the SIP transport handler and the TCP or UDP process show the SIP register status, and the SIP trunk lines too UC560#show sip-ua register status Line peer expires(sec) registered P-Associ-URI =============== ========== ============ ========== ============ 613xxxxxxxx -1 1750 yes disable debugging: no debug all Reference https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/white_paper_c11-613550.html...
Read more...
Bitlocker for Removable drive
January 13, 2023
You may see a notice like below saying “Before you can save files on this drive, you need to encrypt it using BitLocker. The way to disable this is the Group policy: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption> Removable Data Drives. find setting “Deny write access to removable drives not protected by Bitlocker” change state to “Disabled”. Note, don’t choose “Not configured”, this is a bug with this setting as of Jan 2023....
Read more...
Renew AD FS Service Communications certificate
January 10, 2023
SSL Certification renew If your communication with another APP is encrypted with a trusted third part CA cert, and the max validity for which is 397 days, so you have to do this job every year: Renew the cert from your CA authority, like Digicert Export the cert file in cer format with private key. Copy the cert file to AD FS server, open MMC.exe, Add snap-in > certificate > Computer account > local computer Import the cert file to certificate ( local computer) > personal > Certificates Double click the Cert imported, go to Details tab, select Show <All>, find thumbprint, copy the thumbprint to a text file without space in the middle, something like ‘7503ffb9da7ee64971e50a37fbe1b53dd7eeeef8’ On Ad FS server, run powershell with administrator privilege. Use following cmdlet to install the new SSL certificate: Set-AdfsSslCertificate -Thumbprint ‘7503ffb9da7ee64971e50a37fbe1b53dd7eeeef8’ Go to AD FS Management console, Expand Service > Certificates . In the Right Pane, click Set Service Communication Certificate… Choose the Certificate you imported, click OK. Restart the ADFS services....
Read more...
Give removable drive write access.
December 14, 2022
Administrative Templates, Find Computer configuration> Windows Components > BitLocker Drive Encryption > Removable Data Drives. Click Deny write access to removable drives not protected by BitLocker. Select Disabled....
Read more...
Check the Service status and start if required
December 8, 2022
As a Windows network, system admin, we need to check some of the critical services all the time. Let’s take Active Directory Federation Services as an example, I use a bat script to check and start it Create a script file called ServiceCheck.bat, and save to c:\scripts: for /F "tokens=3 delims=: " %%H in ('sc query "adfssrv" ^| findstr " STATE"') do ( if /I "%%H" NEQ "RUNNING" ( REM Put your code you want to execute here REM For example, the following line net start "adfssrv" ) ) Then create a task in Task Scheduler. The triggers: I set is Daily, start at 7Am, and Repeat task every 5 minutes. for a duration of 1 day. Actions: start a program, C:\scripts\ServiceCheck.bat ...
Read more...
Disable SCHANNEL log in windows
October 19, 2022
Here’s workaround you can try: Note: You’d better backup the registry before change it/ “EventLogging”=dword:00000000 Value Description 0x0000 Do not log 0x0001 Log error messages 0x0002 Log warnings 0x0004 Log informational and success events...
Read more...
monitor Aruba AP status With PRTG
September 21, 2022
With the PRTG you can check if the APs are online and their CPU usage. First add a device with the controller’s IP address. Under the device, add a sensor. Type SNMP in the search box, then find “SNMP Custom Table” The OID can be found in this doc: https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/Content/Aruba%20Instant%20MIB%20Reference%20Guide.pdf The table is called “ai Access Point Table”, and the OID is 1.3.6.1.4.1.14823.2.3.3.1.2.1 After the search, you will see the table below, the 1.1 is the MAC address, 1.2 is the name, and 1.3 is the IP address. What I really care about is the 1.7 CPU usage: Select below and edit: Identification Column: 1.3.6.1.4.1.14823.2.3.3.1.2.1.1.2 , which is the AP name Channel #1 Name: CPU% Channel #1 column: 1.3.6.1.4.1.14823.2.3.3.1.2.1.1.7 Channel #1 Unit: Percent Leave other fields as default, and click “Create” Now you can create a map and add those sensors to the location. ...
Read more...
Windows log with Graylog 4
September 15, 2022
Config in graylog Go to System > Inputs, click “Select input” dropdown, and select “GELF UDP.” Tick “Global”. Give it a Title: windows Events Bind address, leave it as 0.0.0.0 Port: give it anything legal, I will choose 3514, which prepends a 3 to syslog port 514. leave others as default. Since your graylog is listening to port 3514, you need to allow it on firewall: on Centos: type: firewall-cmd --zone=public --permanent --add-port=3514/udp firewall-cmd --reload Config on Windows: Download and install nxlog, navigate to C:\Program Files\nxlog\conf\nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> #<Extension _fileop> # Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB # <Schedule> # Every 1 hour # Exec if (file_exists('%LOGFILE%') and \ # (file_size('%LOGFILE%') >= 5M)) \ # file_cycle('%LOGFILE%', 8); # </Schedule> #Below for windows event viewer <Extension _gelf> Module xm_gelf </Extension> <Input eventlog> Module im_msvistalog <Schedule> Every 5 min First 2022-09-14 09:00:00 Exec log_info("scheduled execution at " + now()); </Schedule> ##Below query can be copied from event viewer,"filter current custom view" > under filter tab, select the filter, go to XML tab, and copy. <QueryXML> <QueryList> <Query Id='1'> <Select Path='Application'>*]</Select> <Select Path="Security">*]</Select> <Select Path="System">*]</Select> </Query> </QueryList> </QueryXML> </Input> <Output graylog> #Enter the IP address and the the port on which the syslog server is listening to. Module om_udp Host 192.168.61.116 Port 3514 OutputType GELF </Output> #the path here is from the name of the <Input> above to the name of the <Output> , so it is eventlog =>graylog <Route graylog_route> Path eventlog => graylog </Route> After you save the config file, restart the nxlog service. Email notification: Email transport sudo vi /etc/graylog/server/server.conf transport_email_enabled = true #This is important! transport_email_hostname = smtp.gmail.com 319 #Take note of this address! transport_email_port = 465 #Yours may vary transport_email_use_auth = true transport_email_use_tls = true transport_email_use_ssl = true transport_email_auth_username =
[email protected]
#This is an account you’ve created for the purpose of sending automated emails transport_email_auth_password = Y0urPassw0rd! transport_email_subject_prefix = transport_email_from_email =
[email protected]
Once you finish the above, close the text file and run: $ sudo systemctl graylog-server restart Modify field let’s say you want to modify the hostname from DC01.mydomain.com.au to DC01, given that you only have a single domain, and want the dashboard to be nice and neat. System > inputs click “manage extractors” button. Then click “Get started” button, select an input, select an input you created before, click button “Load Message” Then click “select extractor type” after the source message field, then click “Regular expression”. On the top it will show the original message: DC01.mydomain.com.au. modify below. In the regular expression box, type: (.*?)\. Store as field: source Extractor title: Extract Hostname from FQDN Click “Create extractor” Configure Pipelines Pipelines can be used to drop messages, remove field, and much more, see here for the functions: https://archivedocs.graylog.org/en/2.2/pages/pipelines/functions.html#drop-message I will use a drop message as an example here: I want to drop message with full_message field containing keywords “CN=ADFS ProxyTrust – NHSADFSWAP” Create a rule To do so, Click System > pipelines, then click the “Manage Rules” button, then click “Create Rule” button. In the description box, type a descriptive title. In the Rule source, type below: rule "Drop ADFS ProxyTrust - NHSADFSWAP Messages" when contains(to_string($message.full_message),"CN=ADFS ProxyTrust - NHSADFSWAP") then drop_message(); end Then click Save & Close. Add pipelines Click Manage Pipelines button at the top right corner, Then click “Add new pipeline”, type a Title and description, click save, now you are in the pipeline edit page. Click the “edit connections” button, select a stream, by default it is “All messages”, click save. Then click “Add new stage”, and select the “Stage rules”, find the rule you created above, click save. ...
Read more...