We use cookies on this page to better serve you. You can find more information about cookies here.

Latest posts

Deploying Windows LAPS
by

I’ve been a fan of LAPS for a while and in 2023 Microsoft made LAPS even better by introducing a new version called Windows LAPS. Windows LAPS (Local Administrator Password Solution) is a great tool for managing your local admin passwords.

You might be thinking it’s ok I use one complicated password for my local admin accounts, it does not matter in fact it’s worse because if that local admin password hash is obtained then techniques such as pass-the-hash could be used or the password could be cracked and then all systems are compromised, it also sticks out on a penetration test.

Let’s be real, how often are you really changing those passwords even if they are all unique? Well, it doesn’t matter now because Microsoft has made managing all of it much simpler.

LAPS is not new, it has been around for years. In the past to use LAPS you needed to install a small client on the systems you wanted to manage with LAPS. You also needed to install the LAPS UI to retrieve the password or go digging in the AD attributes for the password.

After April 2023 all of that has changed as with the April 2023 security update systems running Windows 10 or newer and servers running Windows Server 2019 or newer now support Windows LAPS natively. No more extra programs are needed. There’s really no excuse for not using Windows LAPS.

The old way of doing Microsoft LAPS with the small client and LAPS UI is now called Legacy LAPS.

Here is step-by-step how to deploy Windows LAPS after the April 2023 update in on-premises Active Directory setup.

Prerequisites

  • All domain controllers and systems managed by LAPS must have the April 2023 update or newer.
  • An AD group for the users who can view LAPS passwords.
  • An AD group for the users who can reset the current LAPS password. (You can use the same group for both if you want.)
  • An Admin account that is a member of Schema Admins and Domain Admins.
  • Domain Functional Level of Windows Server 2016 or higher.

Initial Configuration

  • Login to a domain controller with an account that is a member of schema admins and domain admins
  • Open PowerShell as admin
  • Confirm you have the LAPS PowerShell module by running the following command get-command -module LAPS
Read more
IT
Active DirectoryEUCHardeningHow ToLAPSMicrosoftsecurityWindowsWindows Server

FortiGate Policy Mode vs Profile Mode
by

By default all Fortinet FortiGates are in Profile-based NGFW mode. There is nothing wrong with the default mode. However, I personally prefer policy mode more.

Profile mode works like most firewalls like SonicWall, pfSense and UniFi for example. All your rules are based on ports.

Policy mode works like Palo Alto Networks firewalls. All your rules are only based on ports if you define them but where the real power comes in is application based rules.

To better show the differences here’s an example. I am using Central SNAT in profile mode to keep it as similar as possible to Policy mode.

The Setup

  • VLAN for the Guests network and the IoT network and they are on a tagged interface.
  • The Corp network is untagged on interface x1.
  • An object exists for the entire Guest LAN and the entire IoT LAN. I’ve colored them blue.
  • An object exists for the DHCP server on the Corp network. I’ve colored it green.
  • I will make a rule to allow the Guest and IoT network to talk to the DHCP server on the Corp network to get a DHCP address.

Profile Mode

In profile mode I will build the Firewall Policy rule like this.

  • Name: Allow DHCP
  • Incoming Interface: Guests and IoT
  • Outgoing Interface: Corp
  • Source: Object for the Guest LAN and IoT LAN
  • Destination: Object for the DHCP server on the Corp LAN
  • Service: DHCP and DHCP6

Here is what that rule looks like.

Read more
IT
ComparisonFirewallFortiGateFortinetNetworking

FotiGate Enable Policy Mode
by

The default setup of a Fortinet FortiGate is Profile mode. Here’s step-by-step how to change a FortiGate from Profile Mode to Policy Mode. Due to the significant change between the two mode you will need to rebuild all your rules.

Notes

  • All existing firewall rules will be lost.
  • Any objects or interfaces will remain.
  • You will need to use Central NAT.

The Process

  • Login to the FortiGate
  • Click on System
  • Click on Settings
Read more
IT
FirewallFortiGateFortinetHow ToNetworking

Generate CSR with MMC
by

There are many ways to generate a CSR (Certificate Signing Request) one of them is with IIS. What if you don’t have IIS or you want to be stubborn and not use IIS at all? In this post I will detail step-by-step how to generate a CSR using MMC (Microsoft Management Console).

  • Open MMC
  • Add the Certificates Snap-in
  • Select Computer account and click Next.
Read more
IT
CertificatesHow ToMicrosoft Management ConsoleSSLWindows

Install VMware Horizon Connection Server
by

In this post I’ll show you step-by-step how to install the VMware Horizon Connection Server on-premises specifically version 2303 (other versions will follow a very similar process).

Prerequisites

  • A domain joined Windows Server that will be the Horizon Connection Server.
  • A static IP on the Windows Server.
  • An Active Directory Group for Horizon Administrators.
  • A password for Horizon data recovery backups.

The Process

  • Login to the server that you will be installing the Horizon Connection Server on, this should be the only function of that server.
  • Download a copy of the Horizon Connection Server installer from VMware.
  • Run the Horizon Connection Server installer that was just downloaded.
  • Click Next
Read more
IT
EUCHow ToInstallOmnissaOmnissa HorizonVMwareVMware Horizon

My VMware vExpert Journey
by

I’ve recently reached an exciting milestone. I became a VMware vExpert!

vExpert is a program run by VMware, it’s for people that want to give back to the VMware community, which can be done via a multitude of ways one of them being blogging like this very website. Anyone and everyone can apply, I highly encourage you to apply.

To fully understand why this is an important milestone in my life, we need more context. Computers and technology have always fascinated me. I look at everything with the mindset of trying to understand how and why something works. What does it take to break it? And what does it take to fix it?

I feel like I’ve always had some form of a home lab, at the time I had no idea what a home lab was. To me, it was just some computers that I could play with and break and fix and learn with. Almost all of what I know today is all self-taught from doing exactly that.

They say you never stop learning and I fully believe that. I am constantly learning new things and improving what I know.

My Path Forward

Some time ago, I decided to change my website into my notebook about tech things. My reasoning for this is to remember how I did something and, I want to give back to the internet as there have been countless times where other websites just like mine have helped solve a problem or taught me something.

After changing my blog real people started commenting on my posts, and I gained a new friend, Stephen Wagner who runs his own tech blog just like mine. You can find his blog here https://www.stephenwagner.com.

Stephen is vExpert Pro and he saw that my blog has VMware content, he told me about the vExpert program. I had no idea the vExpert program existed. He encouraged me to apply and helped me with the whole application process.

Read more
IT
Home LabmilestonevExpertVMUGVMware

Distinguished Name
by

Everything in AD (Active Directory) has a Distinguished Name. A Distinguished Name can be used in many situations such as setting up an application to use a service account or adding AD groups or users into applications and so much more.

A Distinguished Name is also known as a DN. A benefit of an using a DN is that no two objects in Active Directory can ever have the same DN.

In this post I’ll show step-by-step how to get the Distinguished Name for the various items in Active Directory via the GUI and PowerShell.

GUI Way

  • Open Active Directory Users and Computers
  • Click on View > Advanced Features
  • Right click on anything in AD and click on Properties
  • Click on the Attribute Editor tab.
Read more
IT
Active DirectoryHow ToMicrosoftPowerShell

Microsoft 365 Audit Logging
by

For whatever reason the default fresh setup of Microsoft 365 has no audit logging turned on. Audit logging is very useful for IT troubleshooting and auditors love logs.

Microsoft says that it is enabled by default for Microsoft 365 and Office 365 enterprise organizations. I suspect that means only if you have E1 or higher. The new tenants I’ve made recently are not E1 or higher, that could be why I didn’t see it already on.

Someone asked for clarification about this on GitHub however the replies all say that it is on by default for everything but that isn’t true based on my experience. You can read the GitHub issue here.

Microsoft’s documentation also says to double check that audit logging is enabled which you 100% should be doing as if it’s on or not seems inconcistant.

In this post I will detail how to check if audit logging is enabled and how to enable it via the Web UI or PowerShell.

Prerequisites

The Web UI Way

  • Login to Microsoft 365 Admin center.
  • Click on Security or Compliance (you can get to auditing from either one)
  • From the Security or Compliance admin centers click on Audit

If audit logging isn’t enable the page will look something like this.

  • Click on Start recording user and admin activity

Audit Logging is now enabled it may take a bit for it to actually start working.

The PowerShell Way

  • Connect to Exchange Online with PowerShell
  • Run the following command to check if Audit Logging is enabled Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

In my example the returned result is false so audit logging isn’t enabled and we want to turn that on.

Read more
IT
AuditingComplianceExchange OnlineHow ToLogsMicrosoftMicrosoft 365Office 365PowerShellSecure Score

Lenovo Update TPM 1.2 to 2.0
by

If you have an older Lenovo server with a TPM (Trusted Platform Module) it may be running with TPM version 1.2 and not TPM version 2.0. One of many reasons to upgrade your TPM is because TPM 2.0 is needed to install ESXi 8.

In this post I will show you how to update the Lenovo TPM from version 1.2 to version 2.0.

Prerequisites

You will need to know how to assert physical presence on the Lenovo server. If you don’t know how to do that I detail the process in a post called Lenovo Remote Physical Presence.

I would also make sure all your firmware is fully up to date as you may not see this option if it is super old and you should be keeping your firmware up to date.

Make sure you understand that anything stored in TPM will be lost. This likely isn’t an issue if you are doing a fresh setup.

The Process

  • Login to the XClarity Controller
  • Enter the BIOS setup
  • Assert your physical presence over the Lenovo server.
  • Click on UEFI Setup
  • Click on System Settings
Read more
IT
FirmwareHow ToLenovoThinkServerTPMXClarity

Palo Alto Predefined IP Commit Error Fix
by

In this post I will detail how to resolve the Palo Alto commit error when trying to commit a predefined IP list.

Below is an example of the error

Validation Error:
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url 'panw-torexit-ip-list' is not a valid reference
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url is invalid

I’ve commonly ran into the issue on a fresh Palo Alto setup right after loading the day 1 configuration and trying to make that commit.

Here is step-by-step how to fix the predefined IP list error.

  • Login to the Palo Alto firewall.
  • Click on Device
  • Click on Dynamic Updates
Read more
FixesIT
FirewallFixHow ToNetworkingPalo Alto NetworksPAN-OS
theDXT on GitHub
theDXT on X (Twitter)
theDXT on YouTube