net user UserName /DOMAIN | find /I "Password last set"
To know how long its been since they last logged on
net user UserName /DOMAIN | find /I "Last Logon"
Your Local Tech Online
A general site about sysadmin and security in small business (which generally covers everything from SANS to servers, from networks to phone systems, and everything else while we're at it)
Userful Domain User Account Information
To know how long its been since a user last changed their password
net user UserName /DOMAIN | find /I "Password last set"
To know how long its been since they last logged on
net user UserName /DOMAIN | find /I "Last Logon"
net user UserName /DOMAIN | find /I "Password last set"
To know how long its been since they last logged on
net user UserName /DOMAIN | find /I "Last Logon"
Improving security on Exchange 2010 / Windows 2008 R2 server
As part of an effort to secure the corporate infrastructure I recently ran the ssllabs.com test against a public facing Microsoft Exchange 2010 server running on Windows 2008 R2.
If you have your own exchange server (or any server with an SSL certificate) you can run that same test here for free.
https://www.ssllabs.com/ssltest/
My fully patched but otherwise unhardened server scored a C.
It turns out (rightly so) they take a dim view on the lack of support for TLS 1.2 as well as the ability to use the old RC4.
So I started googling. There are some links right there on the website where you get your report
First I needed to enable TLS 1.2. I found several sites that had step by step directions. Here is one.
https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx
And here is another
http://tecadmin.net/enable-tls-on-windows-server-and-iis/
Then to disable the old RC4 ciphers I found this Microsoft Technet blog article
https://blogs.technet.microsoft.com/srd/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4/
and here is another, where the author has saved the necessary regedits in a file for you already
https://samrueby.com/2015/06/08/how-to-disable-sslv3-and-rc4-ciphers-in-iis/
All that was left was to reboot the server so these changes would take effect. Once that was done, I re-ran the test and found that I had cleared the "errors" and improved my grade from a C to a B.
Now it seems the test doesnt like my DH key exchange size... But I'll have to revisit that later on.
If you have your own exchange server (or any server with an SSL certificate) you can run that same test here for free.
https://www.ssllabs.com/ssltest/
My fully patched but otherwise unhardened server scored a C.
It turns out (rightly so) they take a dim view on the lack of support for TLS 1.2 as well as the ability to use the old RC4.
So I started googling. There are some links right there on the website where you get your report
First I needed to enable TLS 1.2. I found several sites that had step by step directions. Here is one.
https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx
And here is another
http://tecadmin.net/enable-tls-on-windows-server-and-iis/
Then to disable the old RC4 ciphers I found this Microsoft Technet blog article
https://blogs.technet.microsoft.com/srd/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4/
and here is another, where the author has saved the necessary regedits in a file for you already
https://samrueby.com/2015/06/08/how-to-disable-sslv3-and-rc4-ciphers-in-iis/
All that was left was to reboot the server so these changes would take effect. Once that was done, I re-ran the test and found that I had cleared the "errors" and improved my grade from a C to a B.
Now it seems the test doesnt like my DH key exchange size... But I'll have to revisit that later on.
Helpful Powershell Commands
These are mostly so I dont have to a) remember them or b) scrounge around google looking for them the next time I need them.
List all users, the last date /time they logged in, and whether the account is Disabled or not.
get-aduser -f * -pr lastlogondate | ft samaccountname,LastLogonDate,Enabled -auto
List all users, the last date /time they logged in, and whether the account is Disabled or not.
get-aduser -f * -pr lastlogondate | ft samaccountname,LastLogonDate,Enabled -auto
Subscribe to:
Posts (Atom)