Documentation link: Allow Administrator account lockout
Microsoft introduced a new feature and I can't seem to figure out how to enable it through the cli.
Please let me know if you have any thoughts? I tried tracking the registry changes with procmon, but didn't have much luck pinpointing which keys where changed.
So far I have been able to configure all of the policies under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies - Except for "Allow Administrator account lockout"
The goal is to enable "Allow Administrator account lockout"
At this point, if I were you, I'd just use a reference machine, change the setting there, then export that policy to import to other target machines.
Using Secedit.exe at cmd.exe or PowerShell.
secedit.exe /export /cfg "$env:USERPROFILE\Downloads\security-policy.inf"
secedit.exe /configure /db "$env:windir\security\local.sdb" /cfg "$env:USERPROFILE\Downloads\security-policy.inf"
Using the normal GUI effort.
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 10
ResetLockoutCount = 10
LockoutDuration = 10
AllowAdministratorLockout = 1
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 0
EnableGuestAccount = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
...
Related
I need to set Allow remote connections to this computer on, so I want to know If I can enable it by using WinAPI.
Does anyone know If this can be done with any function?
for this you need set next registry keys:
HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 0
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication = (IsDlgButtonChecked() == BST_CHECKED)
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer = 0 or 1 or 2
if radio-button not selected you need set only
HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 1
also you need enable "#FirewallAPI.dll,-28752" Firewall group by next code:
HRESULT EnableFirewallRule(PCWSTR cgroup, VARIANT_BOOL enable)
{
if (BSTR group = SysAllocString(cgroup))
{
INetFwPolicy2* pNetFwPolicy2;
HRESULT hr = CoCreateInstance(__uuidof(NetFwPolicy2), 0, CLSCTX_INPROC_SERVER, IID_PPV_ARGS(&pNetFwPolicy2));
if (!FAILED(hr))
{
hr = pNetFwPolicy2->EnableRuleGroup(NET_FW_PROFILE2_ALL, group, enable);
pNetFwPolicy2->Release();
}
SysFreeString(group);
return hr;
}
else return E_OUTOFMEMORY;
}
EnableFirewallRule(L"#FirewallAPI.dll,-28752", VARIANT_TRUE);
yes, this not documented properly. however can found some info about this.
are radio button (Allow remote connections to this computer) selected depended only from fDenyTSConnections ( 0 or 1 (!= 0) ) - you can test it by changing value in regedit and reopen System Properties/Remote dialog
some proof on the MSND - Using Remote Desktop
A value of 0 for the fDenyTSConnections registry value means that
Remote Desktop is enabled on the system, while a value of 1 means that
Remote Desktop is disabled. If you later decide you want to disable
Remote Desktop on your Server Core installation, type cscript
%windir%\system32\scregedit.wsf /ar 1 at a command prompt.
UserAuthentication - [0 or 1 ] control Network Level Authentication checkbox (1 checked, 0 - unchecked) (again you can changing value in regedit and reopen System Properties/Remote dialog - or check/uncheck this this box and view in regedit)
In the Properties pane, click the box to the right of the
UserAuthentication setting and type 1 to require Network Level Authentication, as shown here.
SecurityLayer - [0 or 1 or 2] - look the Table 6-1 The SecurityLayer Setting Values
and the last for firewall (this is begin from vista)
In the Properties pane, type C:\Windows\system32\netsh advfirewall
-firewall set rule group="Remote Desktop" new enable=yes
so we need enable rule group="Remote Desktop"
now look at this technet.microsoft.com link
For example, to enable Remote Desktop, use the following:
<Group>#FirewallAPI.dll,-28752</Group>
how is Enabling a Group exist example on MSDN. my code snipet bassed on this
I've installed Observium and it's working great, except for one thing: no ports are showing up.
I've added 3 devices with snmpd installed (Debian 7), all the graphs are displayed (cpu, mem) except for the network traffic ones, and on the front page, it shows:
Ports 0 0 up 0 down 0 ignored 0 disabled
I've also installed the agent on one device, it didn't change anything.
The config used is here (all the private informations are noted xx):
$config['db_host'] = 'localhost';
$config['db_user'] = 'xx';
$config['db_pass'] = 'xx';
$config['db_name'] = 'xx';
// Base directory
$config['install_dir'] = "/opt/observium";
// Default community list to use when adding/discovering
$config['snmp']['community'] = array("xx");
// Authentication Model
$config['auth_mechanism'] = "mysql"; // default, other options: ldap, http-auth, please see documentation for config he$
// Enable alerter (not available in CE)
#$config['poller-wrapper']['alerter'] = TRUE;
// Set up a default alerter (email to a single address)
$config['alerts']['alerter']['default']['descr'] = "Observium - Alert";
$config['alerts']['alerter']['default']['type'] = "email";
$config['alerts']['alerter']['default']['contact'] = "xx#xx.com";
$config['alerts']['alerter']['default']['enable'] = TRUE;
$config['poller_modules']['unix-agent'] = 1;
$config['collectd_dir'] = '/var/lib/collectd/rrd';
$config['int_customers'] = 1; # Enable Customer Port Parsing
$config['int_transit'] = 1; # Enable Transit Types
$config['int_peering'] = 1; # Enable Peering Types
$config['int_core'] = 1; # Enable Core Port Types
$config['int_l2tp'] = 0; # Enable L2TP Port Types
$config['show_locations'] = 1; # Enable Locations on menu
$config['show_locations_dropdown'] = 1; # Enable Locations dropdown on menu
$config['show_services'] = 0; # Enable Services on menu (Disabled by default as this option is deprecated)
$config['ports_page_default'] = "details/"; ## eg "details/" "graphs/bits/"
$config['show_overview_tab'] = true;
$config['overview_show_sysDescr'] = true;
$config['frontpage']['device_status']['ports'] = true;
$config['device_traffic_iftype'] = array('/loopback/','/tunnel/','/virtual/','/mpls/');
$config['device_traffic_descr'] = array('/loopback/','/vlan/','/tunnel/','/:\d+/');
// End config.php
Is the configuration the problem ? Is it only from Professional editions ?
Thank you for your help, I'm new to Observium and I really find it awesome (excepted this one little problem...)
Problem solved !
Easy fix on my MySQL Observium database:
ALTER TABLE `ports` CHANGE `port_label_short` `port_label_short` VARCHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL ;
Explanation:
I've ran ./discovery.php -d -m ports -h 4 (4 being my host id), and it showed a lot of errors when running queries:
ERROR[Error in query: (1364) Field 'port_label_short' doesn't have a default value]
This error was the key, as I only needed to set a default value on this column.
I have been searching high and low and still cannot get debugging working with 'eclipse for PHP Developers 3.0.2'.
At the moment eclipse is just hanging at 57% with 'Launching: waiting for XDebug session. But while eclipse is hanging, the php file opens in an external browser and runs???
I'm using 'XAMPP 3.1.0.3.1.0' for the web server and have the appropriate 'php_xdebug.dll' file in the php ext folder.
I have tried numerous setting from other forums but still no luck, here is my php.ini file config for XDebug:
[XDebug]
zend_extension = "C:\xampp\php\ext\php_xdebug.dllstack"
;xdebug.profiler_append = 0
;xdebug.profiler_enable = 1
;xdebug.profiler_enable_trigger = 0
;xdebug.profiler_output_dir = "\xampp\tmp"
;xdebug.profiler_output_name = "cachegrind.out.%t-%s"
xdebug.remote_enable = 0n
xdebug.remote_handler = "dbgp"
xdebug.remote_host = "127.0.0.1"
;xdebug.trace_output_dir = "\xampp\tmp"
Anyone have an idea to what I need to change?
Seems like the configuration setting were not correct, good tool to use is http://xdebug.org/wizard.php.
Downloaded new version, added it the php/ext and updated php.ini:
[XDebug]
zend_extension = \xampp\php\ext\php_xdebug-2.2.2-5.4-vc9.dll
;zend_extension = "\xampp\php\ext\php_xdebug.dll"
;xdebug.profiler_append = 0
;xdebug.profiler_enable = 1
;xdebug.profiler_enable_trigger = 0
;xdebug.profiler_output_dir = "\xampp\tmp"
;xdebug.profiler_output_name = "cachegrind.out.%t-%s"
;xdebug.remote_enable = 0
;xdebug.remote_handler = "dbgp"
;xdebug.remote_host = "127.0.0.1"
;xdebug.trace_output_dir = "\xampp\tmp"
I got this script:
$Users = Import-Csv C:\Users\Administrator\Desktop\userImport\userTest.csv
$Users | % {
# Setting data
$computer = [ADSI]"WinNT://."
$userGroup = [ADSI]"WinNT://./Users,Group"
# Create user itself
$createUser = $computer.Create("User",$_.userid)
# Set password (print1!)
$createUser.SetPassword($_.password)
$createUser.SetInfo()
# Create extra data
$createUser.Description = "Import via powershell"
$createUser.FullName = $_.'full name'
$createUser.SetInfo()
# Set standard flags (Password expire / Password change / Account disabled)
$createUser.UserFlags = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$createUser.SetInfo()
# Adduser to standard user group ("SERVER02\Users")
$userGroup.Add($createUser.Path)
}
But I get the error:
A member could not be added to or removed from the local group because the member does not exist. How Can I possible fix it??
try changing the . with the computer name here:
$computer = [ADSI]"WinNT://."
as
$compname = hostname
$computer = [ADSI]"WinNT://$compname"
Goal: Add a local user account share-level Read/Write permissions to an existing file share.
I'm hitting a roadblock in developing this. Apparently Microsoft wants you to add your user's ACE to the DACL and then back into the security descriptor of the share. (1). (No, NET SHARE /ADD is not available for existing shares, I was surprised.)
In theory that should be simple enough, but my main fear is doing it wrong and losing the existing share permissions (lots of network users, specific groups). This solution needs to scale to a few thousand shares. I'm developing the solution to output data about the existing DACL in case I need to back out. I should write code to interpret that log and be prepared to add them back en-masse should anything go wrong.
At the moment I'm using VBscript-- I feel PowerShell might be a bit stronger of an approach but VBscript/WMI is a known quantity.
Research:
(1) http://blogs.msdn.com/b/helloworld/archive/2008/07/22/editing-share-permission.aspx
Copy the existing ACEs to an array:
rc = shareSec.GetSecurityDescriptor(sd)
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
Add the new ACE to that array:
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), 2032127)
The functions NewTrustee() and NewACE() encapsulate the instructions for creating the trustee and the ACE. The number is the access mask for Full Control.
Create a new security descriptor and assign it to the share:
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
rc = shareSec.SetSecurityDescriptor(sd)
Check this page for a lot more detail information about security descriptors, trustees, ACLs and ACEs.
Full script:
Const FullControl = 2032127
' modify these variables according to your requirements:
computer = "."
share = "..."
username = "..."
domain = CreateObject("WScript.Network").UserDomain
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" _
& computer & "/root/cimv2")
Set shareSec = GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" _
& share & "'")
Function NewTrustee(name, domain)
Dim trustee, account
Set trustee = wmi.Get("Win32_Trustee").SpawnInstance_
trustee.Name = name
trustee.Domain = domain
Set account = wmi.Get("Win32_UserAccount.Domain='" & domain & "',Name='" _
& name & "'")
trustee.Properties_.Item("SID") = wmi.Get("Win32_SID.SID='" & account.SID _
& "'").BinaryRepresentation
Set NewTrustee = trustee
End Function
Function NewACE(trustee, permissions)
Dim ace : Set ace = wmi.Get("Win32_Ace").SpawnInstance_
ace.Properties_.Item("AccessMask") = permissions
ace.Properties_.Item("AceFlags") = 3
ace.Properties_.Item("AceType") = 0
ace.Properties_.Item("Trustee") = trustee
Set NewACE = ace
End Function
' copy existing ACEs
rc = shareSec.GetSecurityDescriptor(sd)
flags = sd.ControlFlags
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
Set sd = Nothing
' add new ACE
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), FullControl)
' prepare new security descriptor
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
' assign new security descriptor
rc = shareSec.SetSecurityDescriptor(sd)