Stuff n Things
Yep I write about Stuff.. and Things
Securing your PowerShell Operational Logs
So you have actually upgraded to WMF5 and/or Win10 on your systems and have enabled script block...
Date: 05/13/2017
PSLockDownPolicy and PowerShell Constrained Language Mode
There have been number of great articles about PowerShell both from an Attack perspective as well as...
Date: 01/20/2017
Checking effective audit policy forest wide (Get-Auditpol)
Too many times dealing with customers I find that audit settings are either poorly configured or not...
Date: 06/05/2016
DNS Debug Log–Enabling / Retrieving / Searching
The files you need for this: https://psasync.codeplex.com/ – psasync runspaces multi-threading...
Date: 05/27/2016
EMET and DEP
I’ve seen various questions recently around the use of EMET and DEP for protecting processes. Prior...
Date: 01/05/2016
LAPS Audit Reporting via WEF PoSH and PowerBI
So I have a few of these dashboard type solutions now for MS products that we’ve put together to...
Date: 11/18/2015
EMET Reporting
So I frequently get customers that ask how do I know what EMET is actually doing out there....
Date: 10/02/2015
Some PoSH to help with EVT Xpath filter creations
Over time I have had enough hassles creating xpath filters for Event Log Filtering / WEF setups that...
Date: 05/27/2015
Restricted Admin mode for RDP in Windows 7 / 2008 R2
<# EDIT .. there has been a wiki article posted by my colleague John Rodriguez at...
Date: 01/10/2015
Updated EMET.admx file to enable disabled settings for Default sets
An EMET customer pointed out that for the Default Sets in the .admx GPO’s the “Disabled”...
Date: 12/11/2014
Creating Exclusions from the Default Sets in EMET ADMX GPO’s
I’m going to preface this with I do not recommend usage of our .admx GPO’s currently for...
Date: 12/11/2014
KB2871997 and Wdigest - Part 2
If you got here inadvertently glance at Part 1 as well....
Date: 11/02/2014
KB2871997 and Wdigest - Part 1
In May of this past year we released a “Security” updated labeled kb2871997 which basically back...
Date: 11/01/2014
Managing Trusted Sites via Policy for EMET ASR
Part of the new functionality of EMET allows you to block or allow plugins in IE based on the zone...
Date: 09/28/2014
Testing the ASR feature for Office documents in EMET 5.0
Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write...
Date: 09/04/2014
Managing IE Sites for EMET with ASR (Attack Surface Reduction)
If you haven’t started testing EMET 5.0 please consider doing so especially if you are charged with...
Date: 08/27/2014
Setting EMET Local Configuration via GPP
Our PG released EMET 5.0 yeah and it works pretty well and has some cool new functionality such as...
Date: 08/01/2014
Configuring EMET via GPO/GPP w/o using the ADMX files
[UPDATE 7/23/2014] I've create a wiki page at...
Date: 04/29/2014
Xpath Event Log Filtering
So I’ve been working on some stuff lately with Event Log Forwarding and Auditing in general and have...
Date: 03/24/2014
Automatically refreshing EMET GPO’s
If' you’ve tried configuring EMET via GPO’s you’ve probably come to realize that while the GPO’s...
Date: 03/13/2014
Restricted Admin mode for RDP in Windows 8.1 / 2012 R2
<# EDIT .. there has been a wiki article posted by my colleague John Rodriguez at...
Date: 08/14/2013
Another WSUS Cleanup Script
Just noticed this as I was looking for a solution for a different WSUS problem and thought I would...
Date: 04/20/2010
Some thoughts on Adobe Reader and malware
Not sure if anyone saw this bit of news recently where a report put out by ScanSafe indicates that...
Date: 03/10/2010
Some more logparser & eventcomb stuff for IR work
Counting and sorting by unique text in the strings section: As a follow on to a previous article...
Date: 01/27/2010
Determining the cause of FCS client performance issues
Realistically this process should work for other AV clients as well but I’m doing it in the context...
Date: 12/30/2009
Logparsing FCS to find files that were infected
Working an interesting case at the moment where we have multiple files across servers that were...
Date: 12/22/2009
Dealing with malware that creates .exe’s on file shares
So lately we keep seeing variants of malware that modifies content on file servers in an environment...
Date: 07/23/2009
How to go green with FCS
I’m not a treehugger but I can definitely see the $$ with power savings. Having said that I had a...
Date: 05/13/2009
Some Interesting FCS SQL Queries
With a recent case I have an issue where the client count of managed computers in MOM admin console...
Date: 05/08/2009
Update Views for FCS in WSUS
Nothing profound with this post just detailing out a step I typically recommend to most of our new...
Date: 04/08/2009
Cheap real time monitoring for Conficker clients
I already did one post about using eventcomb/logparser to look for clients but found a better way to...
Date: 03/09/2009
WSUS FCS Definitions
This is a follow up post to my previous FCS definitions post. The first one focused on the...
Date: 03/05/2009
Blocking and finding Conficker and Downadup systems
EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND...
Date: 02/09/2009
Understanding FCS Definitions
A fairly frequent question we get is how do FCS definitions work. How do I find just the delta’s for...
Date: 02/09/2009
Using Logparser + Eventcomb to find malware
During the course of these Conficker / Downadup issues we typically see cases that started because...
Date: 01/28/2009
How-to: Removal of Conficker in your FCS environment
Another Conficker post :) however this one is aimed at our FCS customers. It semi-applies to other...
Date: 01/13/2009
More on File Shares and Autorun.inf with regards to malware
So in my last post I mentioned the fact that Conficker/Downad whatever can also have a component...
Date: 01/12/2009
Malware Win32/Conficker.B W32.Downadup.B
So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS...
Date: 01/08/2009
Changes to Microsoft Anti-Malware
This doesn’t really affect the FCS world but it is an interesting development....
Date: 11/19/2008
FCS .adm settings
I’m not really advocating using this and I can’t take credit for this as it was posted on the FCS...
Date: 11/14/2008
How to add extra scheduled scans or definition updates for FCS
The default option for scheduled scans in FCS is kind of sparse currently and it's something we get...
Date: 10/23/2008
FCS Intervals
So you've seen the following options with your FCS settings and are wondering how do these work???...
Date: 10/17/2008
FCS and System Center Essentials
Just found this posting on the SCE forums regarding integration of SCE and FCS:...
Date: 10/08/2008
Automating WSUS Cleanup
By default WSUS does not clean up anything in an automated manner. This is not normally too...
Date: 09/23/2008
FCS SP1
So Forefront Client Security SP1 is out now. To download it go to the Microsoft Update Catalog...
Date: 08/29/2008
FCS Database Sizing
One common issue we seem to be seeing in FCS support is that the DTS job that transfers data from...
Date: 08/25/2008