Category: . All Posts

High-Available Architectures and SLA impact

Basis of SLA’s An SLA is an agreement on service availability, performance and responsiveness. In this paper, only the availability SLA part is addressed. When indicating SLA’s however in this document, we are talking about the Minimum time a service or component needs to be available, or the maximum time allowed to be down. When […]

Read more

Azure P2S VPN with MFA

As Microsoft enabled the Radius option in the Azure Gateway VPN configuration, it now means you can enable MFA on your P2S connections! There is a caveat however. It only works if you have replicated your users from an Active Directory into Azure Active Directory. If you have cloud-only user, it doesn’t work (yet..) I’ll […]

Read more

PowerBI Gateway and Proxies

The PowerBI Gateway can be used to connect on-premises database sources into PowerBI, Microsoft Flow, Logic Apps and PowerApps. The advantages are many, and if installed correctly it will work flawlessly. However, the default install of the connector is based on the gateway being able to connect directly to the internet. While it’s the fastest […]

Read more

Pass the Hash

When you create a new forest or new domain, you use the Domain Admin credentials. Through the use of the “Administrator” account you can control each and every workstation and server. You can install Exchange, System Center products and much much more. But Microsoft is probably thinking twice now about the framework they have chosen wherein the Administrator is master of your infrastructure.

As the Administrator account is so powerful, it’s a sweet spot for hackers, the target to get. And that’s probably why many people rename the administrator account to Guest (and vice versa) or something else. Many others keep the Administrator name but change the password to a very long one including special characters, but even that seems futile, by the discovery of an advanced hacking technique called Pass The Hash.

Read more

Azure Networking S2S + P2S

In a previous post we looked at the ability of creating a Site-2-Site connection from Checkpoint to Azure using a Dynamic Gateway. In this post, we look at client-dialup (VPN) into the Azure network and establish routing between all the sites involved.

Read more

Azure VPN with Checkpoint FW

In this post, how to configure a Site2Site VPN connecting using a Checkpoint firewall.

[EDIT: The instructions below are for R77, which is a really old version. I’m currently writing the instructions for the R80.20 version, but it seems it’s a bit harder to get the S2S tunnel up and stable.. certainly on my PPPOE internet connection… more updates soon!

But in case you still want to make this work, please check this hidden article with my notes.. that have not been validated yet! [/EDIT]

While tells you how to create the Site2Site VPN, the firewall part only covers Juniper or Cisco appliances. As I do not own such a device, I got to work on the Checkpoint together with Syed Pasha.

Below the network overview…

Read more

FIM/BHOLD reports

So all documentation on BHOLD informs you there are “out of the box” reports available.. none of the articles show which reports they are.. so here they are..

Read more

Change UPN (based on Primary Email) based on SMTP: in proxy addresses

So there are numerous scripts out there for setting the UPN of a user to match the Windows Email Address.. you can even do that in a single command (Powershell).. but would it not be better to actually read the primary e-mail address from the ProxyAddresses? .. so the following script will help you with that: Read more

Mitigating attacks on your Active Directory network

Microsoft released a new whitepaper this week that gives an insight in why you should protect your privileged accounts. One of the techniques described is the PassTheHash attack which is a sophisticated attack but fairly easy to execute. These attacks have been seen in the “field” and are being used today. If you work with […]

Read more

MBAM – Install guide – tips

So as promised.. the install guide.. or at least some small tips as the installation is not that hard..

First of all, we are going to use a three server architecture. One server for the databases, one for the administration and monitoring and a group policy server.

To start, we need to create some groups in Active Directory, the service account for SQL and a service Account for the MBAM compliancy part. Create the following groups in AD and the following service accounts:
Read more