PowerShell for Security Professionals

I found the neat project that is all PowerShell scripts the a Security Professional can use as part of their toolbox

Account-Monitoring-Control

Updates

Authorized-Devices

Updates

Baselines

Patch to fix Start-SecDailyFunction.ps1

Forensics

Updates to Forensics Module

Log-Management

Updates

Network-Baseline

Added Reference to Get-SecOpenPorts

PoshSec-Configuration

Updating Module Versions to 1.0

PoshSec.PowerShell.Commands 3.5

Updates

PoshSec.PowerShell.Commands

PoshSec Commands for .NET 3.5

Software-Management

Updates

Utility-Functions

Added Values by Type

README.md

Update README.md

license.txt

Update license.txt

poshsec.psd1

PSD1 File Update

poshsec.psm1

Module Cleanup

To find out more go here

 

 

PowerShell Scripts for Admins and Auditors

Here a a few PowerShell script that I use to look al logs and user accounts.

 

To finding the latest logon time

•Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName username).LastLogon } | Measure-Latest

The following example demonstrates how to find inactive user accounts:

•Search-ADAccount -AccountInactive | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass –A

•The following example demonstrates how to find user accounts that have been inactive for 90 days:

•Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass –A

Retrieving Local Security Log Information

On a local computer, the PowerShell Get-EventLog cmdlet

•get-eventlog-list

•get-eventlog -list |<br>where {$_.logdisplayname -eq `<br>”security”}

Find all users who have “Password Never Expires

Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass –A

To Determine Who Has Never Logged On

get-aduser -f {-not ( lastlogontimestamp -like “*”) -and (enabled -eq $true)}

Find the Location of a Locked-Out User (jferron)

 

$DomainControllers = Get-ADDomainController -Filter *

Foreach($DC in $DomainControllers)

{

Get-ADUser -Identity jferron -Server $DC.Hostname `

-Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut

}

Updated free E-Books from Microsoft

Here is a list of updated books by subject area you can download.

Azure


Lync

Office

SharePoint

SQL Server

System Center


Visual Studio


Web Development


Windows


Windows Phone


Windows Server


Career

 

Rogue DHCP Server detection free tool

Having a DHCP Server on you network that not managed by a IT department is a security issue.

Microsoft has released a new tool for free that you can download that will show you all your DHCP servers  that are Authorized and then show you what is not approved This is a Graphic Tool that test by subnet.

Rogue detection tool is a GUI tool that checks if there are any rogue DHCP servers in the local subnet.

image

See what you have

image

Choose your network

Following are the features with this tool:

1. The tool can be run one time or can be scheduled to run at specified interval.

2. Can be run on a specified interface by selecting one of the discovered interfaces.

3. Retrieves all the authorized DHCP servers in the forest and displays them.

4. Ability to validate (not Authorize in AD) a DHCP server which is not rogue and persist this information

5. Minimize the tool, which makes it invisible. A tray icon will be present which would display the status.

You can download this tool here