In this blog, we'll examine how threat actors—often referred to as hackers—can escalate privileges when weak file, directory, or registry permissions are present. Many programs disable directory inheritance or assign excessive permissions to user accounts, leading to vulnerabilities. Finding these misconfigurations can be challenging, as it involves reviewing extensive file, directory, and registry hive permissions that are often overlooked. Fortunately, I have a few scripts that help detect and report these vulnerabilities and can also reset permissions to their secure defaults. But first, let’s dive into the problem at hand... The Risks Here's a revised version of the text with your requested additions: "Improperly configured permissions for files, directories, and registry entries often create significant vulnerabilities that threat actors can exploit to escalate privileges or break out of restricted environments. When permissions are inadequately set, threat actors can gain access to or modify sensitive files, ultimately providing a pathway for unauthorized actions. Weak permissions enable unauthorized users to write and execute programs in specific directories or modify registry application paths, allowing them to redirect these paths to malicious locations. This redirection enables threat actors to inject and run their own code, giving them access to sensitive information or control over existing applications and files. Beyond simply executing programs, insecure directory permissions also allow unauthorized modification of file permissions. This level of access can be used to alter or delete important files or to introduce new files containing harmful code. Finally, these weak permissions open doors for attackers to leverage vulnerabilities within the operating system or its applications, allowing further access to the system. Additionally, unquoted paths and services with insufficient security configurations provide additional avenues for exploitation, allowing attackers to execute unauthorized commands and compromise system integrity." What to do.... Manually validating permissions across the operating system can be a slow and tedious process. After discovering some critical permission issues and recognizing the importance of thorough validation, I began developing a script for automated validation and pentesting. This script is available for download on GitHub, with all relevant links provided at the bottom of the page. The Scripts The Security Report Support Page Fix for Weak Permissions Fix Unquoted Paths

Understanding Windows 11, TPMs, PCRs, and Security Features Windows 11 requires Trusted Platform Module (TPM) 2.0 as part of its foundation for enhanced security, alongside features like Secure Boot, BitLocker, and Virtualization-Based Security (VBS). With these tools, Microsoft aims to shield devices from evolving threats in an increasingly hostile digital landscape. This article takes a closer look at these features and highlights their limitations, particularly in the context of remote attacks. Trusted Platform Module (TPM): The Basics A Trusted Platform Module (TPM) is a specialized chip designed to enhance security by providing cryptographic operations, safeguarding sensitive data, and ensuring system integrity. It can: Generate, store, and manage cryptographic keys. Validate the integrity of the boot process using Platform Configuration Registers (PCRs). Support security features like BitLocker and VBS. Types of TPM Discrete TPM: A dedicated hardware chip soldered to the motherboard. Firmware TPM (fTPM): Built into the CPU and implemented via firmware. Checking TPM Status Windows Security App: Go to Settings > Privacy & Security > Windows Security, then navigate to Device Security > Security Processor. TPM Management Console: Open the Run dialog, type tpm.msc , and press Enter to check the status and specification version. Command Line: Run tpmtool getdeviceinformation  to retrieve detailed TPM data, TPM Version: The specification version of the TPM (e.g., 2.0). Manufacturer Information: The manufacturer ID and version of the TPM chip. Supported Algorithms: Lists cryptographic algorithms supported by the TPM (e.g., RSA, SHA-256, etc.). PCR Banks: The hash algorithms used for Platform Configuration Registers (PCRs), such as SHA-1 or SHA-256. PCR Information: Indicates which PCRs are active and their supported configurations. TPM Status: The current operational state of the TPM, such as whether it's enabled, activated, or ready for use. PowerShell Cmdlets: Get-Tpm: Displays TPM status and version. Platform Configuration Registers (PCRs): Ensuring Boot Integrity PCRs in the TPM store hashed measurements of the System state during boot, providing a cryptographic log of boot-time events. They ensure integrity by providing a cryptographic record of boot-time events Uses of PCRs Secure Boot: Validates the bootloader, ensuring only trusted code is executed. BitLocker: Uses PCR values to confirm system integrity. Mismatched values (e.g., from tampering) trigger recovery mode. Commonly Used PCRs PCR 0: Measurements from the BIOS, firmware, and Core Root of Trust for Measurement (CRTM). PCR 2: Reflects UEFI Secure Boot state. PCR 4: Tracks bootloader integrity. PCR 7: Represents Secure Boot configuration. What is Secure Boot? Secure Boot, a UEFI feature that ensures only signed and trusted bootloaders are executed during system startup. The TPM strengthens this process by securely measuring and storing key boot components' hashes in its Platform Configuration Registers (PCRs). These measurements create a tamper-proof record of the boot sequence. How Secure Boot Works: Digital Signatures: Each component in the boot chain (e.g., firmware, bootloader) must have a valid digital signature. Key Hierarchies: Platform Key (PK): Authorizes changes to Secure Boot settings. Key Exchange Key (KEK): Manages authorized signatures. Allowed and Forbidden Lists: Specify trusted and untrusted binaries. Secure Boot and PCRs: PCR 7 reflects the Secure Boot state. Tampering with Secure Boot settings results in a different PCR value. Checking Secure Boot Status: Open the System Information tool (msinfo32). Look for Secure Boot State in the report. What is BitLocker? BitLocker is a full-disk encryption feature that leverages TPM to secure data. It ensures that data remains inaccessible if the system is tampered with or the drive is removed. How BitLocker Uses TPM: Stores encryption keys securely in TPM. Validates PCR values during boot. If the values match the expected measurements, the drive is unlocked. Configuring BitLocker: Open Explorer, navigate to C: Right click on C: and select 'Manage Bitlocker. Turn on Bitlocker and follow the prompts. What is Virtualization-Based Security (VBS) and HVCI? Virtualization-Based Security (VBS) uses hardware virtualization to create isolated memory regions for security-critical operations, enhancing system security. VBS Features: Hypervisor-Enforced Code Integrity (HVCI): Ensures only signed and verified drivers and binaries are executed. Relies on TPM for key storage and Secure Boot for integrity validation. Credential Guard: Protects Domain user credentials by isolating LSASS (Local Security Authority Subsystem Service) processes. Enabling VBS: Check hardware support: Virtualization support in BIOS/UEFI. Run msinfo32 and look for "Hyper-V Requirements." Enable VBS: Open Windows Security > Device Security > Core Isolation. Enable Memory Integrity. Verifying VBS Status: Run msinfo32 . Look for Virtualization-Based Security in the report. What These Features Don’t Protect While these tools provide strong defenses against physical tampering, they fall short against remote threats: Credential Theft - VBS's Credential Guard protects domain credentials but doesn’t secure local account credentials, which can be dumped from memory. Additionally, techniques like pass-the-hash allow attackers to use stolen hashes without decryption. Application Exploits - TPM protections don’t block malware that exploits software vulnerabilities. Attackers can bypass these defenses by targeting unpatched applications. Hardware-Level Attacks - Physical attacks on the Low Pin Count (LPC) bus could extract BitLocker keys if no PIN is used. Network-Based Attacks - Features like Secure Boot and TPM don’t address phishing, network infiltration, or lateral movement. Building a Comprehensive Security Strategy To address these gaps, organizations should bolster TPM-based features with additional measures: Application Control - Tools like Windows Defender Application Control (WDAC) enforce strict policies, blocking unauthorized applications and malware. Regular Patching - Keeping systems and applications up-to-date mitigates risks from known vulnerabilities. Multifactor Authentication (MFA) - Adds a layer of protection against credential theft and unauthorized access. Endpoint Detection and Response (EDR) - Monitors for suspicious activity and stops advanced attacks. The Takeaway Windows 11’s TPM-centric security features excel at defending against physical attacks, but they can’t stop remote exploits, credential theft, or network-based threats on their own. Think of them as a sturdy lock—effective at preventing break-ins, but not enough if attackers exploit the open Window. A layered security approach is essential to stay ahead of sophisticated threats.

In my previous blog , I explored how Microsoft leverages the Trusted Platform Module (TPM) to secure Windows 11. In this article, we’re going to take a deeper dive into BitLocker. What is Bitlocker BitLocker is a full disk encryption feature integrated into Microsoft Windows, designed to safeguard the integrity and confidentiality of data. By encrypting the system drive, BitLocker ensures that unauthorized users cannot access sensitive information, even if they gain physical access to the hardware. A core part of BitLocker’s security lies in the use of the Trusted Platform Module (TPM), which securely stores cryptographic keys needed to decrypt the data. Key Concepts in BitLocker Encryption Before diving into the workings of the private key and AES or XTS-AES, let's briefly define some of the key components involved in BitLocker’s encryption process: Full Volume Encryption Key (FVEK): The FVEK is the primary encryption key used by BitLocker to encrypt and decrypt the entire volume (the disk or partition). It is a symmetric key, meaning the same key is used for both encryption and decryption. This key is essential for protecting the actual data stored on the drive. Trusted Platform Module (TPM): The TPM is a hardware chip embedded in most modern computers that provides secure storage for cryptographic keys and ensures that the system's boot process has not been tampered with. It is used in conjunction with BitLocker to protect the FVEK and to prevent unauthorized access to encrypted data. Password/PIN: A password or PIN is an optional but highly recommended security measure that adds an extra layer of authentication for unlocking the encrypted drive. This PIN/password is needed in addition to the TPM’s cryptographic keys to unlock the system during boot. Adding a PIN/password mitigates the Low Pin Count (LPC) Bus attack, Recovery Key: If the TPM or PIN is unavailable (for example, if the hardware is replaced), BitLocker provides a recovery key, which is a 48-digit alphanumeric key. This recovery key is essential for unlocking the encrypted drive in such cases. How BitLocker's Private Key Works The concept of a private key in BitLocker differs from that of traditional asymmetric encryption, where two keys (a private key and a public key) are used. BitLocker uses symmetric encryption for disk encryption, meaning it uses a single key (the Full Volume Encryption Key) for both encryption and decryption. However, BitLocker’s security is strengthened by using the TPM and other factors (such as a PIN or password) to protect access to the Full Volume Encryption Key (FVEK). The private key in this context is tied to the TPM and is crucial for managing access to the FVEK. Here’s how it all works in detail: Generation of the Full Volume Encryption Key (FVEK) When BitLocker is first enabled on a system, the FVEK is generated. This key is used to encrypt the entire disk or volume. However, to protect this key, it cannot be stored on the disk in plain text. Instead, it is stored securely using the Trusted Platform Module (TPM). TPM and the Protection of the Private Key The TPM plays a central role in BitLocker’s encryption system. It is a hardware-based security chip that is embedded in many modern systems to provide tamper-resistant storage for cryptographic keys. The TPM protects the FVEK by encrypting it with a TPM-specific key, which is known as the TPM’s Endorsement Key (EK). This key is unique to the TPM and cannot be extracted by unauthorized parties, even if the hard drive is removed from the system and connected to another computer. Here’s how the process works: Encrypting the FVEK: When BitLocker is enabled, the FVEK is encrypted with the TPM’s key (which is securely stored in the TPM chip itself). Storing the Encrypted FVEK: The encrypted version of the FVEK is stored in the system’s memory and on the disk. However, it cannot be decrypted without the TPM and proper authentication (such as a PIN, password, or recovery key). Unlocking the Encrypted FVEK: Upon system startup, the TPM checks the system’s configuration, including the integrity of the BIOS, bootloader, and other critical boot components. If any changes are detected (for example, due to a malware attack or hardware change), the TPM will refuse to release the FVEK, thus preventing unauthorized access to the encrypted data. Releasing the FVEK: If the TPM verifies that the system configuration is unchanged and trusted, it will decrypt the FVEK and pass it to the system. This is the moment when the encryption key becomes available to decrypt the data on the disk. At this point, the system can proceed with loading the operating system and allowing the user to interact with their data. AES-256 vs. XTS-AES-256: The Encryption Methods BitLocker can use different encryption algorithms, and understanding the difference between AES-128, AES-256, XTS-AES-128 and XTS-AES-256 helps in understanding how BitLocker protects your data. In the context of this article AES-128 and XTS-AES-128 will be ignored. Both AES-256 and XTS-AES-256 are symmetric encryption algorithms, meaning they use the same key for both encryption and decryption, but they differ in how they operate and the level of protection they offer. AES-256 AES (Advanced Encryption Standard) is a widely-used encryption standard that provides strong encryption capabilities. The "256" in AES-256 refers to the length of the key used in the encryption process: 256 bits. AES-256 works by encrypting the data in fixed-size blocks (128 bits) using a key that is 256 bits long. While AES-256 is secure and resistant to brute-force attacks, the challenge with traditional AES encryption lies in the potential vulnerabilities in how it handles block ciphers. Specifically, in the case of full-disk encryption, AES-256 does not account for the fact that some patterns might emerge within the plaintext data as it’s encrypted. This is where XTS-AES-256 comes in. XTS-AES-256 XTS-AES-256 (or XEX Tweakable Block Cipher with Ciphertext Stealing) is an enhanced version of AES-256 specifically designed for disk encryption. While it uses the same AES-256 algorithm, it introduces a second key and modifies the way the encryption is applied to improve security, especially against attacks on the underlying disk encryption. XTS-AES-256 employs tweaking as part of its encryption process. It uses a tweak value to change how each block is encrypted, preventing certain patterns or structures in the encrypted data from being exploited. This makes it significantly harder for attackers to perform certain types of cryptanalysis on the encrypted data, particularly in full-disk encryption scenarios. For BitLocker, XTS-AES-256 is the preferred encryption method because it is specifically designed for disk encryption and provides stronger protection in that context. Adding a PIN or Password In addition to the TPM’s encryption of the FVEK, BitLocker can also be configured to require an additional authentication factor, such as a PIN or password. This adds another layer of security, ensuring that the FVEK is not released even if the TPM is bypassed. Here's how the process works when a PIN is added: PIN Encryption: The PIN is combined with the TPM’s key and a unique public key to create a secure, trusted boot environment. This combination of the TPM’s key and the user-supplied PIN ensures that the encrypted disk remains inaccessible without both the physical TPM key and the correct PIN. Decryption of the FVEK: The TPM will release the encrypted FVEK only if the correct PIN is entered at boot. Without the correct PIN, even if an attacker has physical access to the machine, they cannot decrypt the FVEK and thus cannot access the data on the drive. How the LPC Bus Can Compromise the TPM The LPC bus operates as a communication channel between the TPM chip and the Southbridge, and indirectly to the Northbridge or CPU. Since this bus was not originally designed with modern security threats in mind, it lacks encryption or robust protection mechanisms. Enhancing Security with a PIN To mitigate the risk of LPC bus attacks, BitLocker allows the use of a PIN as an additional authentication factor. Here’s how it works: User Input Required: Before the decryption process begins, the user must enter a PIN. This adds an extra layer of security beyond the TPM’s PCR-based integrity checks. Secure Key Unsealing: The TPM uses the correct PIN to unlock the private key. Without the PIN, the private key remains sealed, even if an attacker has access to the LPC bus. Protection Against Physical Attacks: Since the PIN is not transmitted over the LPC bus, it cannot be intercepted. This makes it effective against attacks that exploit the LPC bus to extract the private key. Recovery Key In case the TPM is unable to release the FVEK (for instance, if hardware is changed or the TPM’s configuration is corrupted), BitLocker allows users to unlock the drive using a recovery key. This recovery key is typically a 48-digit alphanumeric code that can be used to manually unlock the drive when other authentication methods fail. The recovery key can be stored in various ways: Saved to a USB drive. Printed out and stored in a secure location. Stored in a Microsoft account or Active Directory for enterprise users. If the TPM does not release the FVEK during boot, the system will prompt the user to enter the recovery key, allowing access to the encrypted disk. Conclusion BitLocker, when used with the TPM and XTS-AES-256 encryption, provides a highly secure solution for protecting data at rest. The TPM ensures that the decryption key is securely stored and not easily extracted, while XTS-AES-256 improves the security of full-disk encryption by mitigating the risk of attacks that exploit patterns in the encrypted data. Incorporating a PIN into the BitLocker setup, along with TPM and XTS-AES-256 encryption, provides the highest integrity for securing sensitive data and protecting against a wide range of potential threats.

Introduction While PowerShell's Start-Transcript command is a common choice for logging script output, it has its shortcomings. It records console output (write-host) without providing structured log levels, detailed formatting, or robust error tracking. Logging in PowerShell scripts is often overlooked, I know I often overlook it for 'just a quick script', yet it plays a crucial role in confirming output and in this example the movement of family photos, there is nothing more important on my computer system than the decades of pictures and videos and can't afford for any to be deleted or lost. So logging is vitally important The script to organise files by Year and then by Month can be downloaded from ( here ). Reminder Before You Begin Before running this script on important files, make sure to test it first! While it works on during my testing and implementation, it's always best to double-check before making big changes. Overview This PowerShell script is designed to automate file organization within a specified directory. It performs two main functions: Detecting and moving duplicate files based on SHA256 hashes to a duplicates folder. Sorting remaining files into subdirectories organized by year and month based on their last modified date. Additionally, the script implements detailed logging to track its execution, errors, and actions taken during the process. Key Components of the Script 1. Parameters and Initialization The script accepts two parameters: $Data2SortPath: The main directory containing files to be organized. $duplicatesPath: A subdirectory where duplicate files will be moved. A log file is also created at the start with a timestamped filename: $LogFile = "$($Data2SortPath)\OrganizeFilesLog_$(Get-Date -Format 'yyyyMMdd_HHmmss').log" This ensures that each script run generates a new log file, preventing overwriting of previous logs. 2. Logging Functionality The script includes a custom logging function, Write-MoveLog, to standardize log messages: function Write-MoveLog { param ( [string]$Message, [string]$LogLevel = "INFO" ) $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" "$Timestamp [$LogLevel] $Message" | Out-File -FilePath $LogFile -Append } This function: Formats logs with a timestamp. Assigns severity levels (INFO, ERROR, WARNING). Writes logs to the designated log file. 3. Directory Validation and Setup Before processing files, the script checks whether the specified directory exists: if (-not (Test-Path -Path $Data2SortPath)) { Write-MoveLog "Error: The specified path '$Data2SortPath' does not exist." "ERROR" throw "The specified path does not exist." } If the directory does not exist, an error is logged, and execution is halted. Similarly, it ensures the duplicates folder exists or creates it: if (-not (Test-Path -Path $duplicatesPath)) { New-Item -Path $duplicatesPath -ItemType Directory -Force | Out-Null Write-MoveLog "Created duplicates folder at '$duplicatesPath'." "INFO" } 4. Retrieving Files for Processing The script gathers all files within the directory, excluding .log and .zip files: $gtFiles = Get-ChildItem -Path $Data2SortPath -Recurse -File | Where { $_.DirectoryName -notmatch "duplicates" -or $_.extension -notmatch ".log" -and $_.extension -notmatch ".zip" } This ensures only relevant files are processed. 5. Detecting and Handling Duplicates Each file’s SHA256 hash is computed to detect duplicates: $gtFileHash = (Get-FileHash -Algorithm SHA256 -Path $file.FullName).Hash If a duplicate is found, it is moved to the duplicates folder with a unique name to avoid overwriting: $duplicateName = Join-Path -Path $duplicatesPath -ChildPath $file.Name $counter = 1 while (Test-Path -Path $duplicateName) { $duplicateName = Join-Path $duplicatesPath -ChildPath ("{0}_{1}{2}" -f $file.BaseName, $counter, $file.Extension) $counter++ } Move-Item -Path $file.FullName -Destination $duplicateName Write-MoveLog "Duplicate detected: '$($file.FullName)' moved to '$duplicateName'." "INFO" 6. Organizing Files by Date For non-duplicate files, the script determines their last modified date and organizes them into Year/Month folders: $year = $file.LastWriteTime.Year $monthName = (Get-Culture).DateTimeFormat.GetMonthName($file.LastWriteTime.Month) $yearPath = Join-Path -Path $Data2SortPath -ChildPath $year $monthPath = Join-Path -Path $yearPath -ChildPath $monthName If these directories do not exist, they are created: if (-not (Test-Path -Path $yearPath)) { New-Item -ItemType Directory -Path $yearPath -Force | Out-Null Write-MoveLog "Created year folder at '$yearPath'." "INFO" } if (-not (Test-Path -Path $monthPath)) { New-Item -ItemType Directory -Path $monthPath -Force | Out-Null Write-MoveLog "Created month folder at '$monthPath'." "INFO" } Files are then moved to their respective folders: $destination = Join-Path -Path $monthPath -ChildPath $file.Name Move-Item -Path $file.FullName -Destination $destination -Verbose Write-MoveLog "File '$($file.FullName)' moved to '$destination'." "INFO" If a naming conflict occurs, the file is renamed and moved: if (Test-Path -Path "$destination\$file.Name") { $duplicateName = Join-Path $duplicatesPath -ChildPath ("{0}_{1}{2}" -f $file.BaseName, $counter, $file.Extension) $counter++ Move-Item -Path $file.FullName -Destination $duplicateName Write-MoveLog "File '$($file.FullName)' moved to '$duplicateName'." "WARNING" } 7. Error Handling and Final Logging Errors are caught and logged throughout the script: catch { Write-MoveLog "Failed to move file '$file.FullName': $_" "ERROR" continue } Finally, a message indicates the script's completion: Write-MoveLog "File organization complete. See details in the log file at '$LogFile'." "INFO" Write-Host "Processing complete. Logs are saved to '$LogFile'." Conclusion This PowerShell script makes sorting your files a breeze! It finds duplicates, organizes everything by date, and keeps a detailed log so you always know what’s happening. The built-in logging helps with troubleshooting, making it easy to track any issues. Of course any issues please provide feedback via the form on the home page. Thanks and as always your time is appreciated.

I've purchased various pentest devices, not going to mention any names. I've always found them to be lacking in capability and storage. A better option and one where you get to assemble your own device is to use a Pi or my favourite Odroid, they tend to have more power. Download the arm image from https://www.offensive-security.com/kali-linux-arm-images/ Install Win32Disk on Windows http://sourceforge.net/projects/win32diskimager/files/latest/download Insert a microSSD of at least 16Gb Burn the Kali image to the ssd. Insert into the Pi\Odroid and power on Logon with the default account root and the password of toor If that fails try kali and kali passwd to change password apt-get update & apt-get upgrade apt-get -y full-upgrade

All Operating Systems, Applications, Databases and Hardware are vulnerable to hackers, some to a greater or lesser extent. Microsoft's Windows OS has made great improvements with Windows 10 and continually improving with later releases. However, these improvements are often undermined by poor practice and\or misconfigurations. ​ Here is my take on Windows Security 101, basic good practices everyone should follow or at least be aware of: ​ Prior to implementing or making changes to any system make sure it's documented with a repeatable process, peer-reviewed and tested. So that's the boring bit done. Encrypting the Operating System with Bitlocker not only keeps the data safe but prevents many physical attacks against the OS and privilege escalation. Using a TPM and Pin is best. ​ Always patch and update, not just the OS, don't forget the applications. ​ Install only necessary applications. Don't install Adobe PDF Reader, if your using Chrome or Edge, use the browser as the PDF Reader. It's Adobe and a gateway app to the system being compromised..... and one more application to update. Enable Firewalls throughout the enterprise, from edge routers to the host-based firewalls on the client. Not only do Firewalls prevent remote attacks the hacker will have to rely on clickbait but prevents the spread of malware if a client is compromised. ​ Enable AV and keep it up to date. It suggested AV will only provide up to 40% protection against malware. Deploy Application Controls such as Applocker or Device Guard to stop unauthorized execution of programs. ​ Disable all local Administrator accounts and set long complex and unique passwords regardless. There is no guarantee those accounts remain disabled. ​ Maintain account privilege separation. Don't allow accounts that have client privileges and also have Server rights or Domain Admins. Don't allow any Server or Domain Admin to login on to any end client. ​ Don't reuse any password, ensure uniqueness across all accounts. ​ Don't store passwords or configuration files on shares, this is the first thing an attacker will look for. I've seen passwords in clear text on deployment shares for Domain Admin Service Accounts. ​ Just as important as the active protections is the monitoring. How do you know that the implemented protections are effective or one of your admins hasn't ignored 'tho shalt not logon to a client with DA'. The current average time from hack to detections is 206 days........ Read this ​ Backups Finally, have the system Pentested and remediate any issues. ​ Let's be clear, no system is 100% safe. The above recommendations are a starter for 10 and won't stop a targeted, prolonged and sustained attack, at best it will slow down.

There's lot on the web regarding passwords and what they should consist of. There are plenty of sites that also validate the strength of a would-be password. But do those sites make useful suggestions??? Let's find out. But first what makes a stronger better password? Clearly, the longer and the more types of characters used the better. However creating a password from a word and substituting letters for numbers is not advisable, password cracking tools cater for this behaviour and adding numbers to the end of a word. Password, Pa$$word, P455word, Password1234 are some truly awful examples of what's bad. The following table shows the top sites from google search results. So I decided to test those sites. Passwords of varying complexity were entered and the results are below. The colour coding depicts how well the site did with a given password. Red is bad, Yellow is okish and Green is good. As you can see some sites believe that 'Password1234' will take 10,000 years to crack. Of the sites tested only ' https://www.my1login.com ' provided realistic results for known passwords. I'm not sure of the validity of 'sokv3sHMqdCgUB' taking 27 trillion years to crack, it's based on A to Z upper and lower case characters and numbers. ' https://password.kaspersky.com/ ' rates the password and validates it against known password lists. Interestingly K aspersky rated 'sokv3sHMqdCgUB' higher than ''u%L~C3|u^@ LT'. We know not to trust sites to validate the strength of passwords and have an idea of what is acceptable, and what's a bad password. So the advice is mixed and managing the type and number of complex passwords required is a massive nightmare. My suggestion is to delegate the task to a program designed to generate passwords, personally, I use Keepass all my passwords look something like the following 'L$e(`}0}*MmhtKm(WBrY' or '0iJqhzxlMv81mU6ARnVf', both are 20 characters. Some sites don't support the additional special characters and an alternative A to Z and Number password is needed. Simple, right!!! Not really, Kaspersky collects password lists and by the looks of it, many thousands of password lists. Many of those lists will be from sites and companies that have been hacked and their passwords uploaded to the Internet. Visit ' https://www.avast.com/hackcheck ', it's the same as ' https://haveibeenpwned.com/ ' but better, no signing up and Avast delivered an email with the sites and associated passwords. It's never simple and there's a 'but'. Companies that have been hacked try and hide the fact or simply don't know for extended periods. Your password or encrypted password could be out in the wilds and you may never know, undermining the long complex Keepass passwords. What to do.... 2 Factor Authentication..... what the......Don't panic it's not that bad..... If your Android user downloads 'Google Authenticator'. For any site that provides email, financial or social media enable 2FA. When you log on the password is entered and a rotating 6-digit pin from the phone is entered. If your password is compromised the hacker won't have the second part of the authentication to logon. Hopefully, an alert will be sent to your email address informing you of an unsuccessful login attempt, providing time to change the password. In these connected times, it's important to secure your online presence as much as you secure your personal possessions with locks on the doors. Of course, burying your head can be an alternative plan, however, I belong to the tin hat brigade and tend to secure everything to the point it stops being useful ;)

Apparently, the wife reckons it does, but she could be having a dig..... This is a bit of fun, nothing scientific, does the size of the wifi antenna matter? The laptop is the Asus Zenbook 301LA with an internal wifi adapter vs the Alfa AWUS036AC USB wifi adapter The tests will comprise of running 'nmcli dev wifi' for the internal adapter and Alfa with 18cm and 36cm antenna's. Internal - top-rated signal strength is 65 and 17 SSID's Alfa 18cm Antenna - top-rated signal strength 3 * 100 and 24 SSID's Alfa 36cm Antenna - top-rated signal strength 2 * 100 and 26 SSID's. The Alfa ran rampant over the internal adapter with both increased signal strength and range (visible AP's). Surprising the Alfa 18cm antenna beat the 36cm antenna for top signal strength. However, 14 SSID's were above 51 for the 36 cm antenna whereas only 8 are listed for the 18cm antenna. Interestingly the internal adapter showed a connection speed of 115Mbs and the Alfa 144Mbs on the network settings. The wife is correct, size does matter, she ain't going to let this go. Although the 18cm antenna holds the outright top signal strength the 36cm antenna has further reach and lists more SSID's. The internal wifi adapter is rubbish, as I said this is not scientific.... It's definitely advantageous to use a dedicated external USB wifi adapter, speed and range are improved. Would I sit in a coffee shop with that monstrosity sticking out of my laptop when I'm trying to look inconspicuous......

For the past 5 or 6 years local Applocker policies have been created with Powershell scripts and since Jan 2021 (ish) importing and merging .xml files produced the following error with the following command: Set-AppLockerPolicy -XmlPolicy "C:\Secure10\Applocker\Enforce.xml" -Merge Set-AppLockerPolicy : The specified rule collection already exists in the policy. At line:1 char:1 + Set-AppLockerPolicy -XmlPolicy "C:\Secure10\Applocker\Enforce.xml" -M ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Set-AppLockerPolicy], RuleCollectionAlreadyExistsException + FullyQualifiedErrorId : Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.RuleCollectionAlreadyExistsException,Microsoft.Security.App licationId.PolicyManagement.Cmdlets.SetAppLockerPolicyCmdlet Fresh installation of Windows 10, deploy the PS script and import local policies without issue. Merge can be executed multiple times for all the xml files that PowerShell has generated. Same client, commands and policies but updated and merge won't work.... This issue is one for Microsoft to resolve and once an answer is forthcoming I'll post it. Has anyone else experienced the same problem?

I've always wondered if other IT Professionals take their work home??? I don't take work home, I take my hobby to work....There is a serious side to this approach, it allows freedom to explore Microsoft and Linux products without constraints and it provides insights into the tech articles vs reality without the constraints of deliverables. The following describes my main home environment. Hardware: Intel NUC's - i7's with 32Gb RAM, 1Tb SSD and 4TB 2.5" SSD Intel NUC Skull Canyon 32Gb RAM, 1Tb SSD VNAND Dell XPS 15 ASUS Zenbook 580 ASUS Zenbook 490 ASUS Zenbook 301LA Synology Nas 4 Bay 8Tb Usable Synology Nas 1 bay 4Tb Usable (Selective Backup) Zyxel USG60W 4 * Odroids UX4 (2 * load-balanced PI Holes) Raspberry Pi 4 Raspberry Pi Zero * 2 Odroid C4 (RAT) Dual Wifi and RJ45 - Kali Rat Various 1Gb switches HP 476MFD Software: Microsoft Action Pack - £470 per year Linux and Pi distros Main infrastructure, doesn't include vm's that are only spun up for testing: NUC1 (HYP1) DC19-1 DC19-2 SCCM-1 NUC2 (HYP2) OPS-1 MDT-1 DC19-3 The diagram below details the internal DNS setup, there's a method to this madness. The 2 Synology NAS's act as DNS proxies performing all-recursive queries, protecting the DC's from connecting directly to the Internet. The Pi Holes are load balanced and placed between the member servers, clients and DC's, enabling hostname resolution in the PiHole logs. Whilst filtering all the nasties away from the clients and servers. NUC's - The powerful and relatively cheap to run Intel NUC's are host servers. Don't criticise they're Hyper-V, there are benefits, more secure than alternatives....bare with me... don't rage, they receive their patches automatically every month from Microsoft. I specialise in Microsoft OS security and am more confident in securing Windows. Hyper-V finally allows me flexibility with migrating vm's across all the NUC's, Laptops and Skull Canyon. Shares and DFS - NUC1 hosts the main bulk of the user shares with shares for Home, Groups and Media, plus a Software Library going all the way back to Windows NT 4 sp3. The shares are presented to the user with GPO preferences. DFS allows moving the data to a new host without the users (my family) being aware. DC's - Windows 2019 Server makes up the Domain Controllers, each Hyper-V host has a DC. The 3rd DC doesn't run any FSMO roles and it's the first to be replaced with a new OS release. Build a new DC alongside and demote the old. No in-place upgrades help keep the DC's clean. SCCM\MECM - Yes I've deployed an enterprise management solution at home. Yes, it does deploy Windows clients and applications and there is the odd, quite a lot, to be honest, compliance rules. Yes, it can deploy Windows Updates, just doesn't any longer. Until a couple of years ago, my main job was as an SCCM engineer. SCOM - Monitors performance of all servers and various synthetic transactions eg the Internet from client to Google. Custom event rules alert for activities that shouldn't happen across all DC's, servers and clients. MDT - Creating gold images of course.... Backups - 2-way replication exists between the Windows Shares and Synology-1. Android phones automatically upload new photos and videos to the NAS, and then replicated them to the Windows Media share. Equally any new content added to the Windows shares is backed up to the NAS. Synology-2 provides a sort of off-site backup, being away from the main house. Clients - Windows 10 clients run the very latest release and are members of the Domain. I don't allow any non-domain joined Windows on the main network. Android is Ok, not Windows and never the head in the sand crapple. Security - It's extensive, from firewalls to GPO, Applocker, Device Guard, IPSec and role separation with AD. Clearly, I'm not going to give too much away, everything is turned up to level 10. That's a very quick overview of the home network.

Objective The old adage, any physical access and you don't own the system, the person at the keyboard does even if they're not authorised...... Do physical protections, in this case, tamperproof or security stickers provide any tangible defence? The objective is to remove the tamperproof sticker, and fiddle, reapplying the sticker without leaving any evidence of my shenanigans. Tamperproof Stickers For the stickers, the obvious choice, Amazon and 3 differing types of stickers were chosen: Rectangular, dog bone and circle\spot. The stickers work using 2 different types of glue, one being more adhesive than the other. When the sticker is removed, the word 'VOID ' adheres to the surface leaving evidence of tampering. More annoyingly the stickers tend to be brittle and cant be removed intact. Tools of the trade Physical implements include syringes, tweezers, scalpel, razor blade and a hairdryer. Solvents to loosen the glues include Isopropyl, WD40 and Alcohol Hand Gel. Items of Value 3 different surfaces have been selected. A Micorserver representing a standard plastic computer case. A Netgear 8 Port switch, with a painted metal case and lastly an Asus Zenbook with brushed Aluminium. The Control A functional test of each sticker was carried out to ensure expected behaviour. Standard PC - Isopropyl Using a sharp needle inject Isopropyl around the edge of the sticker. With the scalpel very carefully lift up a corner whilst injecting Isopropyl. Using sharp instruments during testing caused damage. Swap to blunt needle and tweezers. Very slowly peel back the sticker whilst injecting Isopropyl. That was easier than expected and completed within a few minutes. The sticker was removed with no visible damage. Once the Isopropyl evaporated the sticker was reusable. Standard PC - Hair Dryer Heat the sticker and use the scalpel to lift the corner and then switch to the tweezers. Apply heat continuously or the lifting edge cools, damaging the sticker. The sticker was reusable instantly. Painted Metal - Isopropyl The glue adhered to the paint far more effectively and despite a couple of attempts, I was unable to remove the sticker without damage. Evidence of my failure...... Painted Metal - Hair Dryer Apply constant heat to the sticker allowing its removal without damage. Redemption and back in business.... The sticker was reusable instantly. Brushed Aluminium - Isopropyl Chalk this down to another failure, using Isopropyl was a non-starter. The smooth surface prevented the Isopropyl from getting under the sticker, damage was inevitable. Brushed Aluminium - Hair Dryer Constantly applied heat appears to work better on smoother surfaces. The sticker lifted reasonably easily and quickly without damage. The sticker was reusable instantly. WD40 and Hand Sanitizer...... In theory, the hand sanitizer should've worked, its thickness prevented it from penetrating the glue. A non-starter. WD40 worked almost effectively as the Isopropyl, however, the sticker was not reusable due to the oil content. Findings Size or more importantly circumference to surface area matters, regardless of what you're told...... The spot and dog bone stickers with relatively small surface areas to circumference lifted far easier than the rectangle. The surface of the device being protected influences the performance of the glue. Isopropyl is unable to penetrate smoother or painted surfaces as easily. When in doubt use a hair dryer, heat reduces the adhesion of the glue allowing the sticker to lift and be reapplied. The Old Adage The old adage still applies, if you have physical access, you are the owner of the device. Limitations of tests Source of stickers, they're nothing special being from Amazon. At the time of writing the 2 companies approached for their heat and Isopropyl resistant security stickers have yet to reply.......Hoping they come through, I'd like to know if they do offer any extra resistance. Any company feeling brave contact me via the Home contacts form. If the stickers supplied resist my attempts I'll mention the company name as a supplier of superior stickers. As always, thanks for your time, if you enjoy the content please share this site.

Ever wondered what all those Windows Guids translated to in User Rights Assigments? Follow the link and run the script with Admin permissions. https://github.com/Tenaka/UserRightsAssignmens The script will export the Windows security settings and extract the Privilege Rights. The privilege rights will be translated into their Human readable format.