Hacked By TeaM_CC :: sec_d@rK WAS HERE
Your Security breached ….
No security is perfect
Facebook.com/cyber.command0s
[+]Team_CC[+]
Your Security breached ….
No security is perfect
Facebook.com/cyber.command0s
[+]Team_CC[+]
Sebagian dari teman-teman pasti sudah mengetahui apa itu Active Directory Domain Services yang ada pada Windows
Server 2008, dikarenakan di portal kita ini, sudah ada yang pernah menuliskan mengenai blogs ini, yang akan saya bagikan juga
adalah perbandingannya dengan Windows Server 2003. Apabila pada windows Server 2003 ketika kita dcpromo atau ingin
menjadikan sebuah server sebagai Domain Controller, kita tinggal mengetikan dcpromo dan menjalankannya pada run.
Sebenarnya di Windows Server 2008 sama saja kita juga installasi active directory dengan mengetik dcpromo kemudian
terinstall active directory, akan tetapi di Windows Server 2008 akan menginstall terlebih dahulu Active Directory Domain and
Services yang kemudian apabila setelah install server role ini, kita cancel wizard nya maka akan terdapat AD User and
Computer, AD Sites and Services, AD Domain and Trusts dan AD Schema pada Administrative tools, berbeda dengan
Windows Server 2003 ketika kita jalankan dcpromo maka akan langsung masuk ke wizards tidak installasi Server Roles
seperti ini terlebih dahulu.
Dengan adanya AD DS client komputer juga bisa menggunakan user account yang sudah di create untuk melakukan
authentikasi ke AD DS, untuk akses ke network resource seperti file server atau print server juga authenticate nya melalui
AD DS. Misalnya apakah user ini terdaftar dalam group tertentu, atau secara individu user tersebut diperbolehkan akses ke
folder tertentu. Server roles(AD FS, AD RMS dan AD CS) yang lain tergantung kepada AD DS untuk provide informasi
mengenai user dan network resource yang ada dalam Active Directory. Adapun juga beberapa fungsi baru dari AD DS, yaitu
Read Only Domain Controller yang selama ini sering kita bahas diportal wss-id kita ini, ketika mendefrag domain controller
nya tanpa harus menstop service dari AD nya, tidak seperti DC 2003 kita harus menstop service nya terlebih dahulu.
Secara konsep Active Directory 2003 dengan AD 2008 hampir sama, inti dari Active Directory adalah Active Directory
Domain and Services, karena tanpa adanya ini, maka Server Roles yang lain tidak akan berfungsi dengan sempurna. Disini
kita mengerjakan semua tentang Active Directory.
Adapun beberapa wizard Active Directory Domain and Services sendiri sama saja seperti pada Windows Server
2003 sebelumnya :
1. Active Directory User and Computer digunakan untuk me-manage(create, modify ataupun remove) objek-objek(OU, User,
computer, Group, printer dan lain-lain) yang ada pada Active Directory dengan menggunakan GUI(Graphics User Interface),
2. Active DIrectory Site and Services digunakan untuk membuat site dan mengatur replikasi antar Domain Controller.
3. Active Directory Domain and Trusts digunakan untuk membuat trust antar domain dan untuk me-raise forest functional level
dan domain functional level, terdapat salah satu FSMO roles yang bisa kita pindahkan dari satu DC ke DC yang lainnya.
4. Active Directory Schema digunakan untuk menambahkan, mengubah ataupun juga menghapus class atau attribut yang
ada pada Active Directory.
Selain Fungsi diatas Active Directory Domain and Services juga mempunyai beberapa fitur, antara lain :
1. Centralized Directory memudahkan Network admin untuk mengatur jaringannya dengan menggunakan single Directory
yang terpusat.
2. Single Sign On Access bisa mengakses beberapa resources dengan menggunakan satu buah user account saja,
contohnya User bobby bisa mengakses file server, print server dan fax server.
3. Integrated Security AD DS berkolaborasi dengan Windows Server 2008 security bisa mengecek langsung security permission
yang ada pada setiap client yang join baik itu merupakan, Windows NT, 98, 2000, XP dan Vista.
4. Scalability kita bisa menambahkan server AD DS yang baru apabila pada Windows Server 2003 kita namakan Additional
Domain Controller(ADC). AD DS Server baru akan melakukan replikasi dari AD DS yang lama, sehingga user bisa login ke
AD DS yang paling dengan wilayah mereka.
5. Common Management Interface, Microsoft Management Console(MMC) yang digunakan untuk mendeploy AD DS dan
melakukan maintenance terhadap Active Directory yang sudah ada.
AD DS terbentuk dari 2 bagian, yaitu Physical Component dan Logical Component
Physical Component AD DS :
1. Data Store : tempat dimana data itu tersimpan(dimana kita install Active Directory disitulah data store nya).
contohnya : ntds.dit file yang tersimpan di %SystemRoot%\NTDS folder
2. Domain Controller : sebuah Server yang kita install Active Directory, maka kita sebut sebagai Domain Controller
didalamnya juga menyediakan Authentication dan authorization access ke resources tertentu, replikasi update antar
Domain Controller.
3. Global Catalog Server : yang didalamnya terdapat global catalog, global catalog sendiri bisa berisi query yang
paling sering digunakan oleh objek, misalnya user login, menyimpan trust antar domain dalam satu forest. tempat
dimana kita mengaktifkan global catalog disebut global catalog server.
4. Read Only Domain Controller : Domain Controller yang kita hanya bisa read only, tanpa bisa melakukan perubahan
di dalamnya.
5. Sites : penempatan Domain controller, yang ditujukan untuk replikasi antar Domain Controller tersebut. Apabila beda
site kita bisa melakukan scheduling, apabila satu site maka bisa langsung replikasi, kita juga bisa membagikan ip-subnet
pada setiap Domain Controller.
AD DS Replication : mengkopi semua update yang ada AD DS database ke semua Domain Controller yang lainnya bisa
dalam satu domain atau dalam satu forest. AD Replication juga memastikan semua DC mempunyai informasi yang sama,
menggunakan Multimaster Replication Model(bisa diubah di setiap DC yang writeable dan updatenya dikirim ke DC yang lain).
Replikasi bisa di manage dengan membuat Site.
Logical Component dari AD DS :
1. AD DS Schema : terdiri dari 2 bagian, yaitu class objek : mendefinisikan objek baru yang bisa kita buat pada Active
Directory (contohnya computer class dan user class), attribut objek : Informasi apa saja yang bisa disimpan pada setiap
class objek (contohnya pada user class terdapat display name, email address, dll).\
2. AD DS objek : merupakan bagian terkecil dari AD DS, yang didalamnya terdapat user, computer, printer, group(digunakan
untuk pengelompokan dan memberikan permission), dan lainnya.
3. Organizational Unit(OU) : merupakan Object container atau tempat penampungan objek, setiap objek yang ada dalam AD DS
bisa kita letakkan dalam 1 OU, OU juga berisi OU lainnya.
4. Domain : digunakan mengelompokan untuk memanage Active Directory objek dalam satu organisasi. Bisa juga untuk
memberikan policy tertentu pada satu OU yang didalamnya bisa terdapat objek-objek yang lain,
Pada satu(1) Domain pasti ada minimal 1 Domain Controller yang terinstall, dalam satu DC hanya bisa ada satu Domain.
5. Domain Tree : Susunan Hirarki dari domain-domain dalam satu forest, yang penulisan namanya contiguous dengan parent
nya(contohnya parent nya contoso.com, childnya as.contoso.com).
6. Forest : merupakan keseluruhan dari AD DS, termasuk didalamnya domain, domain tree, schema, objek maupun OU.
Obviously, before you can restore your domain, you have to back it up first. Mainly what we’re interested in backing up is the System State of a Domain Controller. So what is the System State?
The System State of your server includes the Registry, the Boot files, some System files, the Active Directory service, and other components. (Read more about it here.) You can not pick and choose between which components are backed up during a System State backup. It’s an all or nothing situation.
Since this includes the whole of your Registry, you have to understand that this includes the information about the original System’s installed hardware. This may complicate the restore process somewhat. If you backed the System State from DC on an HP Proliant DL380 G5 series server… and attempt to restore it on a Dell PowerEdge T100… you will most likely have issues with booting up the OS afterwards because the hardware set is significantly different.
As part of your DR plan, I recommend making a point of documenting the hostname, IP address, Operating System, Service Pack level, and the hardware make/model of each of your domain controllers. You may find this information useful when the time comes.
These instructions are going to use the hostname “DC123” as name of the domain controller, and assume that you want to run your System State backup every day at 3:00am.
Login to your domain controller, and perform the following steps:
The actual backup job itself will probably take somewhere between 15 – 30 minutes to run. Then, you can backup the C:\Backup\ folder to tape. Personally, I had preferred to schedule another task that would launch at 4:00am to “robocopy” (which can be found as part of the Windows Server 2003 Resource Kit Tools download) each of the backup files to another server where they were all dumped to tape a few hours later.
You only really need to backup 1 domain controller for this to work, but then your pretty much locked into a single hardware set when it comes time to do the restore. Since I was never sure what kind of hardware I would have available to me when it came time to do the restores, I tried to make a practice of housing each domain controller on a different model of server… and backing each of them up individually. Each backup ran me somewhere between 600 – 800 MB of disk space (which is rather a small pittance by today’s standards).
Yes, this was probably a significant amount of overkill on my part. However, I find that the more paranoid you are, the better prepared you tend to find yourself. And I tend to be rather paranoid about things like DR.
Now let’s pretend that a disaster has struck!
You’ve retrieved your tapes from off-site storage and acquired your target hardware, so let’s get to work! (Remember that matching the hardware to the DC restore would be best, but you can make substitutions. It’s not an exact science, so some experimentation may be required.)
Note: These instructions are written with a few assumptions in mind.
- We assume that your entire domain has been leveled by some catastrophic event.
- We assume that your domain controllers are running a Windows 2003 operating system.
- We assume that whomever is doing the work knows the login credentials (from the original domain) to the domain’s Administrator account or a user account that is a member of both the domain’s “Domain Admins” and “Schema Admins” groups.
If your server hardware is significantly different from the original DC, then you may experience difficulty with the boot to the GUI. If this is the case, then you might be able to still recover the OS by booting into Safe Mode or by booting to an original Windows 2003 OS CD to perform a Repair.
Once you get into the GUI, you will need to login using the local Administrator password from the original DC.
Now you will be able to seize the FSMO roles. (Note: After each “seize” command, click [Yes] and allow 3-5 minutes for the task to complete.)
Next, confirm that your DC is a Global Catalog server.
Now we’ll clean the old domain controllers out of the AD database.
Your domain should now be successfully restored, but don’t consider yourself finished at this point. This restored server should be considered hinky at best, and should not be kept as a long-term solution.
Before doing anything else, I recommend that you build a 2nd “clean” domain controller alongside this restored 1st DC. Then, transfer the FSMO roles to the 2nd DC. Finally, demote the 1st DC to a member server and retire it from the domain. That will hopefully ensure that your domain is running on a clean and stable DC that you can rely upon. Then, build a new 2nd DC to ensure some redundancy.
Congratulations! Your domain is restored. Now get to work on restoring everything else.
This article describes how to reset the Directory Services Restore Mode (DSRM) administrator password for any server in your domain without restarting the server in DSRM. Microsoft Windows 2000 uses the Setpwd utility to reset the DSRM password. In Microsoft Windows Server 2003, that functionality has been integrated into the NTDSUTIL tool. Note that you cannot use the procedure that is described in this article if the target server is running in DSRM. A member of the Domain Administrators group sets the DSRM administrator password during the promotion process for the domain controller. You can use Ntdsutil.exe to reset this password for the server on which you are working, or for another domain controller in the domain.
open ADUC and do the following.
Right-click Saved Queries and click the New-Query option Type in a name for your saved query, such as Find all Non expiring PW Users Click the Define Query button Under the Find drop-down list, select Custom Search Click the Advanced tab Type in (objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536) Click the OK button to save the custom entry, then click on the OK button to save the query Now you should see all users with the flage pw never expires
Click the Export List button from the top of the ADUC windows and save to txt file.
Flags that control the behavior of the user account.
CN | User-Account-Control |
---|---|
Ldap-Display-Name | userAccountControl |
Size | 4 bytes. |
Update Privilege | This value is set by the system. |
Update Frequency | Each time the account policy changes. |
Attribute-Id | 1.2.840.113556.1.4.8 |
System-Id-Guid | bf967a68-0de6-11d0-a285-00aa003049e2 |
Syntax | Enumeration |
Link-Id | – |
---|---|
MAPI-Id | – |
System-Only | False |
Is-Single-Valued | True |
Is Indexed | True |
In Global Catalog | True |
NT-Security-Descriptor | O:BAG:BAD:S: |
Range-Lower | – |
Range-Upper | – |
Search-Flags | 0x00000019 |
System-Flags | 0x00000012 |
Classes used in | User |
Link-Id | – |
---|---|
MAPI-Id | – |
System-Only | False |
Is-Single-Valued | True |
Is Indexed | True |
In Global Catalog | True |
NT-Security-Descriptor | O:BAG:BAD:S: |
Range-Lower | – |
Range-Upper | – |
Search-Flags | 0x00000019 |
System-Flags | 0x00000012 |
Classes used in | User |
Link-Id | – |
---|---|
MAPI-Id | – |
System-Only | False |
Is-Single-Valued | True |
Is Indexed | True |
In Global Catalog | True |
NT-Security-Descriptor | O:BAG:BAD:S: |
Range-Lower | – |
Range-Upper | – |
Search-Flags | 0x00000019 |
System-Flags | 0x00000012 |
Classes used in | User |
Link-Id | – |
---|---|
MAPI-Id | – |
System-Only | False |
Is-Single-Valued | True |
Is Indexed | True |
In Global Catalog | True |
NT-Security-Descriptor | O:BAG:BAD:S: |
Range-Lower | – |
Range-Upper | – |
Search-Flags | 0x00000019 |
System-Flags | 0x00000012 |
Classes used in | User |
Link-Id | – |
---|---|
MAPI-Id | – |
System-Only | False |
Is-Single-Valued | True |
Is Indexed | True |
In Global Catalog | True |
NT-Security-Descriptor | O:BAG:BAD:S: |
Range-Lower | – |
Range-Upper | – |
Search-Flags | 0x00000019 |
System-Flags | 0x00000012 |
Classes used in | User |
Link-Id | – |
---|---|
MAPI-Id | – |
System-Only | False |
Is-Single-Valued | True |
Is Indexed | True |
In Global Catalog | True |
NT-Security-Descriptor | O:BAG:BAD:S: |
Range-Lower | – |
Range-Upper | – |
Search-Flags | 0x00000019 |
System-Flags | 0x00000012 |
Classes used in | User |
This attribute value can be zero or a combination of one or more of the following values.
Hexadecimal value | Identifier (defined in iads.h) | Description |
---|---|---|
0x00000001 | ADS_UF_SCRIPT | The logon script is executed. |
0x00000002 | ADS_UF_ACCOUNTDISABLE | The user account is disabled. |
0x00000008 | ADS_UF_HOMEDIR_REQUIRED | The home directory is required. |
0x00000010 | ADS_UF_LOCKOUT | The account is currently locked out. |
0x00000020 | ADS_UF_PASSWD_NOTREQD | No password is required. |
0x00000040 | ADS_UF_PASSWD_CANT_CHANGE | The user cannot change the password.Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
: |
0x00000080 | ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED | The user can send an encrypted password. |
0x00000100 | ADS_UF_TEMP_DUPLICATE_ACCOUNT | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account. |
0x00000200 | ADS_UF_NORMAL_ACCOUNT | This is a default account type that represents a typical user. |
0x00000800 | ADS_UF_INTERDOMAIN_TRUST_ACCOUNT | This is a permit to trust account for a system domain that trusts other domains. |
0x00001000 | ADS_UF_WORKSTATION_TRUST_ACCOUNT | This is a computer account for a computer that is a member of this domain. |
0x00002000 | ADS_UF_SERVER_TRUST_ACCOUNT | This is a computer account for a system backup domain controller that is a member of this domain. |
0x00004000 | N/A | Not used. |
0x00008000 | N/A | Not used. |
0x00010000 | ADS_UF_DONT_EXPIRE_PASSWD | The password for this account will never expire. |
0x00020000 | ADS_UF_MNS_LOGON_ACCOUNT | This is an MNS logon account. |
0x00040000 | ADS_UF_SMARTCARD_REQUIRED | The user must log on using a smart card. |
0x00080000 | ADS_UF_TRUSTED_FOR_DELEGATION | The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. |
0x00100000 | ADS_UF_NOT_DELEGATED | The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. |
0x00200000 | ADS_UF_USE_DES_KEY_ONLY | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. |
0x00400000 | ADS_UF_DONT_REQUIRE_PREAUTH | This account does not require Kerberos pre-authentication for logon. |
0x00800000 | ADS_UF_PASSWORD_EXPIRED | The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy. |
0x01000000 | ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network. |
Create batch file :
for /F “tokens=1,2,3,4 delims=,” %%i in (freshmen09.csv) do dsadd user “cn=%%j %%i,ou=2013,ou=students,dc=[domain],dc=org” -samid %%k -pwd “%%l” -upn %%k@[domain].org -fn “%%j” -ln “%%i” -display “%%j %%i” -memberof “cn=GL 2013,ou=2013,ou=students,dc=[domain],dc=org” -disabled no -mustchpwd yes -hmdrv U: -hmdir “\\[network home directory]\2013\%%k”
Create .csv file contain 4 columns : Last Name, First Name, Username, Password
Untuk mengetahui apakah CPanel dan WHM yang kita miliki sudah terupdate otomatis, dapat dilihat dari menu : Server Configuration – Update Preferences , cek apakah sudah terpilih Daily Update Automatic.
Postfix is a secure Mail Transfer Agent
apt-get install postfix
cat /var/log/mail.log
postconf -e "myorigin = example.com"
postconf -e "myhostname=server1.example.com"
postconf -e "relay_domains = example.com, example2.com, example3.com"
postfix reload
telnet localhost 25
Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 server1.example.com ESMTP Postfix (Debian/GNU)
mail from:<you@youremail.com> rcpt to:<user@example.com> data To: user@example.com From: you@youremail.com Subject: Hey my first email This is my first email on debian postfix after installing configuring it. It was easy.
.
quit
qshape mailq qshape deferred postsuper postsuper -r ALL (requeue all emails)
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
Insert this in your /etc/postfix/main.cf:
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
See what rbl is about: http://www.us.sorbs.net/mailsystems/postfix.shtml
apt-get install libsasl2-modules
postconf -e "relayhost = [smtp.sbcglobal.yahoo.com]:587" postconf -e "smtp_sasl_auth_enable = yes" postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" postconf -e "smtp_sasl_security_options = noanonymous"
[smtp.sbcglobal.yahoo.com]:587 username@sbcglobal.net:mypassword
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
postfix reload
postconf -e "alias_maps = hash:/etc/aliases"
root: lucas
lucas: myemail@example.com
lucas: lucas myemail@example.com
newaliases
/etc/init.d/postfix reload
postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"
vi /etc/postfix/virtual
postmaster info@example.com abuse info@example.com someemail lucas
postmap /etc/postfix/virtual
/etc/init.d/postfix reload
postconf -e "home_mailbox = Maildir/" postconf -e "mailbox_command ="
vi /etc/Muttrc
set folder="~/Maildir" set mask="!^\\.[^.]" set mbox="~/Maildir" set record="+.Sent" set postponed="+.Drafts" set spoolfile="~/Maildir"
The instructions below are WRONG! You should not postfix-to-mailman.py and alias at the same time. Please read /etc/mailman/postfix-to-mailman.py instead.
apt-get install mailman
newlist mailman
/etc/init.d/mailman start
relay_domains = example.com, lists.example.com
alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases
postconf -e "transport_maps = hash:/etc/postfix/transport" postconf -e "mailman_destination_recipient_limit = 1"
mailman unix - n n - - pipe flags=FR user=list argv=/var/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
lists.example.com mailman:
postmap /etc/postfix/transport
MTA = 'Postfix' DEB_LISTMASTER = 'postmaster@example.com' POSTFIX_STYLE_VIRTUAL_DOMAIN = ['lists.example.com']
/etc/init.d/postfix reload /etc/init.d/mailman restart
newlist list_name
Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/
http://lists.yourwebsite.com/cgi-bin/mailman/listinfo/list_name/
Assuming your postfix is running and listening on localhost, another possible problem is that postfix is not configured to run in IPv6 mode, but your /etc/hosts file specifies ::1 as localhost. In that case mailman tries to send mails to ::1 which has no postfix listening, thus resulting in a (111, ‘connection refused’) error.
I have some systems that are networked on an internal private ip address subnet (192.168.0.0/16). For a few reasons I email reports and such to <user>@mail.internalwhere user is an address that is not valid for receiving mail via the external interfaces. These systems also share a public ip address subnet so they could email each other that way, but I’d prefer they didn’t for local addresses. I have published SPF records for the public mail servers because all of our mail routes through those servers so if others care to check they can ignore email claiming to be from us but being delivered from other servers as per our SPF record.
Recently I have expanded the ip addresses these systems are using externally to support multiple instances of port-based services like https (adding :oddport doesn’t impress the customers.) I could have expanded or added more liberal SPF record values, or added more forward and reverse DNS records but I wanted to stick with less ip addresses.
So to recap my system has:
By using the settings in /etc/postfix/master.cf, /etc/postfix/main.cf and /etc/postfix/transport as outlined above I was able to get my outgoing smtp traffic to use my SPF published ip address once again.
If you are trying to implement SPF records while binding to one external ip address and still working with dual-homed multiple ip aliased systems, or have any other reason to support multi-homed systems with multiple ip addresses but want to limit postfix to use only two of them try this.
smtp unix - - - - - smtp -o smtp_bind_address=<spf published ip address> smtpinternal unix - - - - - smtp -o smtp_bind_address=<internal ip address>
transport_maps = hash:/etc/postfix/transport
.internal smtpinternal:
Just postmap /etc/postfix/transport, invoke-rc.d postfix stop and invoke-rc.d postfix start and you should be in business. Email to <user>@<system>.internal will be delivered via the internal interface/ip address all other email will be delivered via default methods which means internet mail will go out the the spf published ip address.
Optional:
inet_interfaces = 127.0.0.1, <internal ip>, <spf published external ip>
LogParser Studio has recently been released and is a long awaited release at that. It now provides a GUI interface for LogParser utility with Windows server and Windows desktop systems.
Log Parser Studio is a utility that allows you to search through and create reports from your IIS, Event, EXADB and others types of logs. It builds on top of Log Parser 2.2 and has a full user interface for easy creation and management of related SQL queries.
You can download LogParser Studio from Microsoft site: http://gallery.technet.microsoft.com/Log-Parser-Studio-cd458765