Pages

Monday, 15 October 2018

Remotely lock a computer and restrict them from logging back in

For investigative purpose, sometimes you have to freeze a terminal by throwing someone off a terminal, but at the same time preserve the evidence on the terminal. Let’s assume that if someone is using a terminal to send frustrating messages to their colleagues or having obscene chats or even an anonymous trying to hack, and you need to secure the running terminals to capture the commands that has been run.
Following process demonstrates that it is quite simple to accomplish such simple investigative task, provided you have admin privilege over the network:
  1. It is mandatory to change the target account’s AD password. This ensures the culprit is deprived from logging back in
  2. If you don’t have psexec, download the PSTools and extract the content and then target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: H:\PSTools>PsExec.exe \\192.168.100.10 -d -u ventej\Administrator -i cmd /c "rundll32 user32.dll, LockWorkStation"
  3. Now it’s time to seize the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.
Good Luck!

Wednesday, 3 October 2018

Exchange 2013 Maintenance: Logs

Take a full backup. Once you take full backup all your logs will vanish. Else what?
 
Circular logging should not be enabled in a production environment. Circular logging are manually enabled only if you have noticed that the Exchange logs are enormously growing due to the following: either the nodes are unhealthy or there wasn't any successful exchange full backup.
 
To clear unwanted or orphaned logs, apart from enabling circular logging, it is also safe to dismount the Exchange DBs and mount back again. However, before doing it make sure to have a successful Exchange backup.
 
Exchange 2013:
 
Step1: ECP>>Servers>>Databases>>select required DB>>Check Active and Passive server's DB health. should be healthy. Double Click DB>>Maintenance>>Enable/Disable Circular logging. (Should not be enabled unless and otherwise required)
 
Step2: ECP>>Servers>>Databases>>select required DB>>Check Active and Passive server's DB health. should be healthy>>click more (3 dots...)>>Dismount. make sure the process completes successfully>> Mount the DB back again. And make sure the DB status shows mounted and healthy.
 
What if the log drive is full and exchange is down?
 
It is not a good idea to enable circular logging on a mailbox sever. As you may be aware that log drive should not be on a system drive, recommended to have a dedicated drive. Capacity planning is required for at least a period of 2-3 years both for SBM and large enterprise level org.
 
Consider moving the log files from the log drive to a temporary storage until the backup issue gets resolved. Once you have enough space, enable circular logging. Uncheck this feature after making sure there is enough log drive space.
 
In a nutshell circular logging recycles the logs.  Exchange relies on transaction or write-ahead logs to store events before they are committed to the database.  When the defined logs have been filled up, circular logging assumes that the first log must have been committed and recycles the logs to save disk space.
 

Check Which Domain Controller You Are Connected To

From Command Prompt Type "set l". Review the info next to the LOGONSERVER field to see the name of the domain controller.

 
Using Nltest Command, Type "nltest /dsgetdc:[FQDN]" (without quotation marks) into the console. Review the information next to the DC field to see the name of the domain controller with which the computer or system is communicating