@welf-alberts
-
Welf Alberts commented on When the trust relationship between a workstation and the primary AD domain fails 1 day, 1 hour ago
Hey Joe.
Boot Windows Setup, it will not ask your for any credentials. Will edit my tutorial accordingly.
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 1 month ago
@Water Lover
Yes, isn’t that nice… they committed the change back in October and document it now, almost 4 months later. Found the same today, just came here to add it 🙂 -
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 1 month, 1 week ago
Hi.
Psexec does not need to be installed. Extract it from pstools, follow the given steps, report what you see.
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 2 months, 2 weeks ago
Is it necessary to point out that the script itself needs to be whitelisted? You will have whitelisted a lot of scripts (like those in sysvol) and it should be obvious that this script needs to be among them. Best would be to digitally sign it with a whitelisted signature.
Can you tell me why you think the script is (sometimes?) unable to delete the old configuration? Have never seen it failing to do that. Can you offer reproducible steps to make it fail?
About 1) – what’s the problem here? Again I don’t understand what could possibly go wrong at your side
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 2 months, 4 weeks ago
Enforcement mode configured to “enforce rules” within all sections (exe, script, MSI) of the GPO?
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 3 months ago
Ok, enough trying to say for sure.
With Win10 22H2 and 11 22H2, you may use GPOs to control Applocker without my script. No matter if upgraded or clean install, it works. Don’t forget that standard applocker relies on the server “appidsvc”, so your GPO needs to change the startup type of that service to automatic.
[yes, earlier I wrote that it didn’t work on 22H2 – the service wasn’t active]
Will edit my article accordingly.
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 3 months ago
I made two attempts:
On Win11 Pro 22H2 (clean install) AppLocker works out of the box without my script.
On a VM with Win10 Pro 20H2 it didn’t work and after upgrading that to 22H2 (19045.2364), it still does not work.Will do further attempts with 11 22H2 when upgraded from 11 RTM and 10 22H2 when cleanly installed.
-
Welf Alberts commented on Self-service password reset with ManageEngine ADSelfService Plus 3 months ago
Hi Brandon.
I would expect every comfortable solution to have a downside, security-wise.
And that should be considered as well.For example: how secure are security question? NIST no longer recognizes those as an acceptable authenticator by SP 800-63.
As your screenshot shows, those can be combined with SMS verification and push notifications and so on, but who is able to tell how secure this is against abuse? Try to put a number to it, that will be hard. Ideally, every pw reset system needs to be as secure as the pw itself; providing reset options should make it easier for an attacker to steal an identity, so giving an estimate of how secure this combination of reset verifications is, should be mandatory.Furthermore, I would like to know whether this software works with passwords only or whether it can also reset forgotten SmartCard PINs (for windows authentication).
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 3 months ago
Walter, David…
Say, how funny is this… all these years, it didn’t work on pro. Here comes my scripted solution for pro, BAM, 6 months later, it works out of the box. -
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 3 months, 1 week ago
That would be astounding, indeed. I misunderstood at first 🙂
So you tested this without using my script and things that you define in gpedit.msc get blocked? -
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 3 months, 1 week ago
Walter, this works on all Win10. Tried successfully on 21H2 Pro as well. So I am not sure how your gpedit.msc looked like, but surely that was a problem at your end.
-
Welf Alberts replied to the topic Backing up Bitlocker laptop in IT Administration Forum 4 months, 1 week ago
The numerical recovery password does not depend on the hardware, it works anywhere, also when the drive is cloned to a new machine.
-
Richard, you quote me writing “at little cost” and later “there are costs” – and seem to feel those are contradictory statements. The costs for those licenses are small, compared to their benefit, if you ask me.
I don’t express “there are no costs”. Maybe you misunderstand when I encourage readers to try this out by writing that setting up a lab requires less than one hour and costs nothing (since the server trial setup allows for several months of free usage, local and RDP.). -
Welf Alberts replied to the topic Auditing of username guessing – impossible with server 2022? in IT Administration Forum 5 months, 1 week ago
In the current insider build of server vnext, it’s gone. Just inplace-upgraded my DC in my test lab and it started to work as expected.
Fine, now I can finish my article… was trying to avoid writing it with a server 2016 test lab.
-
Welf Alberts replied to the topic Auditing of username guessing – impossible with server 2022? in IT Administration Forum 5 months, 2 weeks ago
Yes Michael, saw that one. Suggested solutions don’t help, unfortunately.
-
Welf Alberts started the topic Auditing of username guessing – impossible with server 2022? in IT Administration Forum 5 months, 2 weeks ago
Hi.
With server 2016, I simply enable this setting:
Immediately, when someone at the logon mask uses a wrong username (which could be used for attacks as well in order to enumerate valid user names), this attempt (and with it, the user name) gets logged. On server 2022 (DC) however, the security log only gets populated with
Event ID: 521
Event User: NT AUTHORITYSYSTEM
Unable to log events to security log:
Status code: 0xc0000078
Value of CrashOnAuditFail: 0
Number of failed audits: 1
So my simple question is: does it work for anyone here on server 2022?
-
Welf Alberts commented on When the trust relationship between a workstation and the primary AD domain fails 6 months, 2 weeks ago
Hi Rizan. The above tutorial is no cure for “cannot join”. Use the forum here, open a thread, offer details what error messages you see when trying to join.
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 6 months, 3 weeks ago
Sabine, the proof of concept is not meant for repeated runs. You have not reacted to my suggestion before, which told you what lines to execute now to overcome this.
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 6 months, 3 weeks ago
Fine, thanks for the feedback!
-
Welf Alberts commented on Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell 6 months, 3 weeks ago
Saw Sabines Screenshot and that’s something different to Georges’s problem. Use the delete_all_rules part (lines 3-20) in the lowest code, then retry.
- Load More
