Installera Esxi 6.7 på HP EliteDesk 800 G4

  1. Börja med att disable UEFI Boot (Fast boot)
  2. Preppa USB-minnet med Rufus och välj MBR som partition scheme
  3. Installera ESXi 6.5 och tryck SHIFT+O vid uppstart
  4. Lägg till formatwithmbr efter runweasel. Alltså “runweasel formatwithmbr”
  5. Starta upp och stäng ner
  6. Installera 6.7 och välj uppgradera
Posted in Uncategorized | Comments Off on Installera Esxi 6.7 på HP EliteDesk 800 G4

Windows Firewall Stealth mode

Sometimes you wan’t Windows Firewall to block your packets instead of just dropping them. By setting these registry settings, you enable that.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

Value: DisableStealthMode

Type: REG_DWORD

Data:
0x00000000 (default – StealthMode enabled)
0x00000001 (StealthMode disabled)

https://support.microsoft.com/en-us/help/2586744/disable-stealth-mode

Posted in Uncategorized | Comments Off on Windows Firewall Stealth mode

Powershell Splatting

$MailMessage = @{
    To = "Name@powerkb.se"
    From = "Name@powerkb.se"
    Subject = "Hi"
    Body = "You text"
    Smtpserver = "smtp.powerkb.se"
    ErrorAction = "SilentlyContinue"
}
Send-MailMessage @MailMessage
Posted in Powershell | Comments Off on Powershell Splatting

Citrix ADC (Netscaler) admin GUI and 2 factor authentication with Pointsharp

This is not a compete guide and require you to have some basic skills arround Pointsharp and Netscaler.

This guide is for using Pointsharp to do group extraction from Active Directory and send the groups to Citrix ADC. Which authentication method to use in Pointsharp is up to you. To configure 2FA on the Citrix ADC admin GUI against Pointsharp, there are some configuration you must do on the ADC and in Pointsharp.

Pointsharp

Citrix ADC

Create a RADIUS Authentication server.

In the wizard, enter the information corresponding to your config in Pointsharp and click More and edit according to the image below.

The Group prefix is set to CN= because Pointsharp will send the group according to RFC standard with the full DN. Since we choosen Pointsharp to only send the first group it matches there can only be one group in the response but we use “,” to remove the DN-string behind the actual group. Let’s say that Pointsharp send “CN=NetScalerAdmin,OU=Groups,DC=powerkb,DC=se” We set the group prefix to “CN=”. Now we have ” NetScalerAdmin,OU=Groups,DC=powerkb,DC=se” and the ADC will fail that match but since we use the “,” as the group separator ADC will think the first group is NetscalerAdmins, the second OU=Groups,DC=powerkb,DC=se and so on.

Create a new Authentication Group that matches your Active Directory group exactly

Create an authentication policy and bind it Globally

Posted in Uncategorized | Comments Off on Citrix ADC (Netscaler) admin GUI and 2 factor authentication with Pointsharp

Citrix ADC (Netscaler) Backend Server Authentication

Citrix ADC does not authenticate the backend server certificate by default. This can be enabled in the Service or the Service Group.

  1. Go to Load Balancing – Serivce/Service Group
  2. To the left, click SSL Parameters
  3. Check Enable Server Authentication and enter desired common name
Posted in Uncategorized | Comments Off on Citrix ADC (Netscaler) Backend Server Authentication

Change Clock format on Windows 10 logon screen

  1. Press Win+R, type intl.cpl and press Enter (Region settings)
  2. Set your different time formats and click Apply
  3. Select the “Administrative” tab, then click the “Copy settings..” button.
  4. At the bottom, check the box for “Welcome screen and system accounts”.
  5. Click the “OK” button. Done

Posted in Uncategorized, Windows | Comments Off on Change Clock format on Windows 10 logon screen

Disable TLS 1.0, TLS 1.1 and weak ciphers with Powershell

$RegistryPaths = @(
            #Protocols
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"

            #Ciphers
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168"

            #Hashes
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5"
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA"

            #KeyExchangeAlgorithms
            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS"


        )
        Foreach ($RegistryPath in $RegistryPaths)
        {
            If (-not (Test-Path $RegistryPath))
            { New-Item $RegistryPath -Force -ErrorAction Stop }
            New-ItemProperty -Path $RegistryPath -Name "Enabled" -Value "0x0" -PropertyType DWORD -Force -ErrorAction Stop

        }
Posted in Powershell, Windows | Comments Off on Disable TLS 1.0, TLS 1.1 and weak ciphers with Powershell

Split PFX into cert and key without password

Set-Location 'C:\OpenSSL-Win64\bin'
$PfxPath = "C:\Cert\cert.pfx"
$WorkingDirectory = [io.path]::GetDirectoryName($PfxPath)
$FileName = [io.path]::GetFileNameWithoutExtension($PfxPath)

#Password for the pfx file
$Password = "password"
	
$CertCommand = ".\openssl.exe pkcs12 -in $PfxPath  -out $("$WorkingDirectory\$FileName.crt") -nokeys -passin pass:$Password"
Invoke-Expression -Command $CertCommand
Start-Sleep 2
		
$KeyCommand = ".\openssl.exe pkcs12 -in $PfxPath -out $("$WorkingDirectory\$FileName.key") -nocerts -nodes -passin pass:$Password"
Invoke-Expression -Command $KeyCommand
Posted in Uncategorized | Comments Off on Split PFX into cert and key without password

Set Powershell to ignore certificate check

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
Posted in Uncategorized | Comments Off on Set Powershell to ignore certificate check

Powershell JEA Just Enough Administration Session client IP

To get the IP from inside a session you can use Get-WSManInstance. If you run the endpoint as a group managed service account it has to be administrator on the local machine. Otherwise you will get access denied. The variable $PID exist inside the JEA Session.

Function Get-IP
{
    Get-WSManInstance -ConnectionURI http://localhost:5985/wsman -ResourceURI shell -Enumerate | Where { $_.ProcessId -eq $PID }
}

Posted in Powershell | Tagged , | Comments Off on Powershell JEA Just Enough Administration Session client IP