New way of managing on-prem Windows servers securely – Project Honolulu

Project Honolulu – a new tool that attaches UI to Powershell WMI capabilities for managing your servers securely.

I don’t have to explain why connecting with RDP to a remote server is a really really bad security practice. By default, Windows has no timeout on a disconnected RDP session. In fact, after you close your RDP session, your user (some kind of admin, right?) stays logged in to the server and God knows what happens when you don’t watch! For example, anyone who gains access to the same server as a non-privileged user can dump in-memory credentials and steal your remote session (i.e. with help of the infamous Mimikatz tool).

How to mitigate this problem? Don’t connect to servers with RDP. Ever! Microsoft believes that the solution is using WMI (Windows Management Instrumentation) via Powershell. At least, it protects you from those guys who wait in the server for you to log in to steal your credz. Sounds great but I want back my GUI, right?

Luckily, we’ve just got a tool for it – Project Honolulu. It executes PowerShell WMI commands in the backend and streamlines framework’s capabilities through the lean (and flat, of course!) UI. It allows you to perform most of the operations you would typically make in RDP. Hyper-V and Failover clusters are also supported.

Nowadays, the tool is in the Technical Preview but “it perfectly works in my environment” (c). Download it here.

Some screenshots from my Honolulu:

honolulu

honolulu2

It covers most common operations such as modifying firewall rules, local groups, checking logs, registry, resource utilization, installing new roles and features, and so much more!

Have fun!

The Security Development Lifecycle book is available for downloading

Very recently, Microsoft has published online the foundation book describing SDL (Security Development Lifecycle).

security-development-lifecycle-no-cd

The principles behind the SDL were born as a response to the Windows Longhorn project reset in the early 2000s. Back then, the entire project was wiped out and started from scratch due to the presence of critical vulnerabilities in various components – according to MS insiders. At the time, Microsoft had a questionable reputation with regards to security of its products. Therefore, the company made a huge investment in security improvement. SDL was created as the common approach to developing products, starting from the very bottom to top – from design to release.

The book was published in good old 2006, which can be seen as the Stone age comparing to the threats and attack vectors present nowadays. Nevertheless, it still remains a valuable source of knowledge and actions for the teams and companies that struggle with improving a security of the products. In my opinion, it is impossible to deliver a secure solution without integrating SDL principles into every chunk of the development process.

The most recent overview of SDL can be found at the dedicated Microsoft page.

The best part of it is the set of tools and instruments designed and used by MS at each of the steps of SDL – with links for downloads. It can be seen as a great reference to the spectrum of problems that SDL solves – you don’t have to replicate it to your organization in the exact way it works at MS but at least it helps understand the challenges and possible solutions.

Uninstall MS Exchange Server 2016

Today, I read through the support thread of one guy who ended up paying to a customer support from MS to get rid of a nasty Exchange server.

And, I must admit, it is not something that can be removed with ease.

! The following manual will help you to annihilate the Exchange server and its data. If you still wish to save some of it, don’t use this instruction.

Let’s say, you need to completely wipe it out from the machine – and uninstaller always fails to remove so-called Default Mailboxes.

There are a few types of them which you need to take care of manually:

Get-Mailbox -Archive | Disable-Mailbox
Get-Mailbox -Monitoring | Disable-Mailbox
Get-Mailbox -AuditLog | Disable-Mailbox
Get-Mailbox -PublicFolder | Disable-Mailbox

Now,  you need to get rid of “-Arbitration” mailbox but it is not as easy as previous cases. Firstly, go and find out the name of your Mailbox Database:

Get-MailboxDatabase

It will show you something like “Mailbox Database 12212842873428”. Use the entire name, no0t just a number! Now, you can remove all Arbitration mailboxes:

Get-MailboxDatabase -Database "NAME FROM THE PREVIOUS COMMAND" -Arbitration | Disable-Mailbox -Arbitration

It will fail at the last mailbox which is using some default address book (are you still following the actual meaning of these error messages? Not sure if it is physically possible…)

So, to remove the default Offline Address Book we need to get its name. At least, this is what the support says. Forget the support, use the wild card!

Remove-OfflineAddressBook -Identity "*"

And finally:

Get-Mailbox -Database "NAME" -Arbitration | Disable-Mailbox -Arbitration -DisableLastArbitrationMailbox

Phew, that was it. Now, nothing can stop you from wiping out the Exchange server from your server.