Set up IPS on Fortigte firewall to block brute force RDP attacks

Like most people, my terminal servers are constantly being probed via brute force attacks trying to find a weak spot.  The better answer is to put the terminal server behind a VPN.  Short of that, I like setting up Duo Security for two factor authentication.  Another alternative (and perhaps in addition to Duo) is to detect and protect against brute force attacks on your firewall.

Here's how I configure that on my Fortigate firewall.

First, enable the Intrusion Prevention module (if not already done) in Config -> Features

First, I enable the IPS rule for RDP brite force attacks. I set a threshold of 15 over 900 seconds (15 minutes) with a block duration of 259200 seconds (3 days).

Then you go to your RDP policy and set the default policy for your RDP policy.

That's all you need to do.  If you want to see what IP addresses have been blocked, go to Log & Report -> Security Log -> Intrusion Protection

Enabling two factor authentication in Outlook 2013 with Office365

This post will go over what you need to do to enable two factor authentication in Office 2013 with a backend Office365 mail server (so you don't need to use app passwords).  This process sets up the 'modern authentication' login window for Office 2013 programs.

Step one - from a Powershell command prompt run this command (info from here):
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Step two - Add group policy to push modern authentication registry entries to Office 2013 computers

https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910?ui=en-US&rs=en-US&ad=US&fromAR=1

After step two is complete, I'd recommend waiting a couple days for all the users to get these settings added to their registry via group policy..  

Step three - enable 2FA from the Office Portal:

Windows 7 not installing updates

As of March 2017, I rarely ever touch a Windows 7 machine anymore, but I did today, and the machine was checking for updates over and over again.  I googled and found a solution in my case (below).  The machine I was working on had installed updates in October 2016.  In general, I'd say my process for updating Windows 7 machines is this:

Install the convenience update if the most recent updates were older than April 2016

If the convenience update is installed, then I'd recommend these commands from an elevated command prompt:

net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver

Start menu organization in Windows 10

I used to leave the Windows 10 menu alone with all the default bloatware garbage on it, but I've started arranging the menu and putting the critical programs, weather, and news (changed from small to large window size) on the start menu,  I prefer a nicely organizard tile section in my start menu, so why not make it that way for the users?  This is what my typical start menu looks like:

Computer swap process - revised 2-24-17

This post will go over all the items we look at when putting in a new computer for an existing user (for example - an employee is getting a new laptop and needs his/her data transferred).  This process doesn't cover installation of programs (assumes this has already been done), but it will ask you to check on important installations.

1. Change the name of the computer as required (putting initials for the user in the computer name)
2. Install all applicable updates (for Windows and Office)
3. Copy data from old computer to new computer using robocopy script
4. Move data to appropriate locations (desktop data to desktop, music to music folder, etc)
5. Ensure all applicable programs are installed/configured including (but not limited to):
   a. AP StyleGuard
   b. Adobe Acrobat Standard/Reader
   c. NitroPDF
   d. MS Project
   e. MS Visio
   f. TightVNC
   g. Skype
   h. Google Talk
   i. QuickBooks
   j. Malwarebytes
   k. Java
   l. FileMaker
   m. Backblaze (or other backup program)
   n. Great Plains and/or Management Reporter
6. Make sure Outlook is configured as appropriate
7. Confirm antivirus is installed and up to date
8. Confirm shared calendars are in place
9. Confirm printers are installed with appropriate printer set as default
10. Confirm VPN is in place with saved credentials
11. Confirm new user has appropriate permissions on computer (local admin or standard user)
12. Put appropriate icons for frequently accessed programs on desktop (Computer, Word, Excel, Outlook, terminal server icon, VPN icon, accounting software if applicable)
13. Confirm backup is working properly for the new user.
14. Add drivers for mobile broadband card if needed
15. Encrypt the laptop using bitlocker if required on that network
16. Arrange the start menu per best practices (link to visual of best practices)
17. Track computer's serial number in inventory spreadsheet and make sure user's name is noted as current user for computer

Setting Up Two Factor Authentication in Office365

This post will go over the steps a person will need to take in setting up two factor authentication for Office365.  As of 2016, two factor authentication is the the most common option for secure access to cloud based systems.

Step 1: Ask your administrator to enable two factor authentication (can only be enabled by an administrator)

Step 2: Go to https://account.activedirectory.windowsazure.com/profile/

Step 3: Log in with your email address

Step 4: Click Set up now

Step 5: Set up the second authentication method.  For 99% of people, this will be a text message to your cell phone

Step 6: Click Contact me.  You'll a code sent to your cell phone.  Enter that code on the next page to verify successful receipt of the code.  Click Verify after entering the code.

Step 7: Click Done (you can ignore the other text in the window)

Step 8: Click Additional Security Verification

Step 9: Confirm that the settings look right (they should look right if you've gotten this far)

Step 10: Click on "app passwords"

Step 11: Click Create

Click 12: Give the name to the app password you're creating.  With near certainty, the first one you'll want to create will be for Outlook.  You'll be creating an app password for *each* non-web based program/device you use.  You cannot reuse app passwords.  Let's say you've got a tablet, a phone, two different Outlook installations (on two different computers), and a Skype for Business installation.  That's five different programs and you'll need five separate app passwords.  I recommend naming each app password for the program you'll be using.  For example, you might call them Outlook laptop, Outlook desktop, iphone 7, Galaxy S7, iPad, Skype for Business, or something similar.

Step 13: Use the app password the system gives you and track it.  Within the next two hours, your devices (Outlook or phone or tablet etc) will prompt you for a password for your email account.  Instead of using your regular password, you'll use the app password.  You *cannot* reuse app passwords, so you should be sure to 1) make as many passwords as you need and 2) track them until you first use them (the app passwords are useless after you first use them).

Windows 10 Upgrade tips when the upgrade process fails

My last two Windows 7 to Windows 10 upgrades have not gone smoothly.  In each case, I was running the Windows 10 upgrade for users who use the accessibility features of Windows located here:
https://www.microsoft.com/en-us/accessibility/windows10upgrade

Here are the steps I take if the computer is stuck at 0% installing Windows 10 or stops anywhere before finishing.

1. Create a batch file with the content below and run the file as administrator
2. Update all drivers on the machine - particularly the video card driver
3. Make sure the C drive has at least 40 GB free
4. run "sfc /scannow" from an elevated DOS prompt
5. Remove any third party antivirus
6. Log in as a user with a minimal profile
7. Go to msconfig and under services, hide all Microsoft services and then disable all services (which will leave all MS servers enabled)
8. Remove the computer from the domain and log in with a brand new profile with admin privileges,  

Batch file contents:


net stop wuauserv
net stop bits
net stop cryptsvc
net stop trustedinstaller
sc config cryptsvc start= auto obj= "NT Authority\NetworkService" password= a
sc config wuauserv start= auto obj= LocalSystem
sc config bits start= delayed-auto obj= LocalSystem
Sc config trustedinstaller start= demand obj= LocalSystem
Sc config eventlog start= auto
reg add HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\wuaueng.dll" /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\bits\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\qmgr.dll" /f
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f
reg delete HKLM\COMPONENTS\PendingXmlIdentifier /f
reg delete HKLM\COMPONENTS\NextQueueEntryIndex /f
reg delete HKLM\COMPONENTS\AdvancedInstallersNeedResolving /f
sc sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
sc sdset bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;SAFA;WDWO;;;BA)
sc sdset cryptsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
sc sdset trustedinstaller D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRRC;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;SAFA;WDWO;;;BA)
sc sdset eventlog D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;SA;DCRPWPDTCRSDWDWO;;;WD)(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
takeown /f %systemroot%\winsxs\pending.xml
icacls %systemroot%\winsxs\pending.xml /grant Administrators:(F)
icacls %systemroot%\winsxs\pending.xml /grant Administratörer:(F)
del /q %systemroot%\winsxs\pending.xml
ren %systemroot%\System32\Catroot2 oldcatroot2
ren %systemroot%\SoftwareDistribution SoftwareDistribution.old
rename \ProgramData\Microsoft\Network\Downloader Downloader.old
cd /d %windir%\system32
regsvr32.exe atl.dll /s
regsvr32.exe urlmon.dll /s
regsvr32.exe jscript.dll /s
regsvr32.exe vbscript.dll /s
regsvr32.exe scrrun.dll /s
regsvr32.exe msxml3.dll /s
regsvr32.exe msxml6.dll /s
regsvr32.exe actxprxy.dll /s
regsvr32.exe softpub.dll /s
regsvr32.exe wintrust.dll /s
regsvr32.exe dssenh.dll /s
regsvr32.exe rsaenh.dll /s
regsvr32.exe cryptdlg.dll /s
regsvr32.exe oleaut32.dll /s
regsvr32.exe ole32.dll /s
regsvr32.exe shell32.dll /s
regsvr32.exe wuapi.dll /s
regsvr32.exe wuaueng.dll /s
regsvr32.exe wups.dll /s
regsvr32.exe wups2.dll /s
regsvr32.exe qmgrprxy.dll /s
regsvr32.exe wucltux.dll /s
regsvr32.exe wuwebv.dll /s
net start eventlog
net start cryptsvc
net start bits
net start wuauserv
fsutil resource setautoreset true c:\
netsh winhttp reset proxy
bitsadmin /reset /allusers
wuauclt.exe /resetauthorization /detectnow
:MESSAGE
echo+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
echo===========================================================
echo     The commands has been succesfully executed. Hit enter to continue
echo===========================================================
echo+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Pause > Null
:end