Thursday, February 21, 2019

Set SPN Examples

Example 1: List currently registered SPNs
        setspn -l daserver1
Registered ServicePrincipalNames for CN=DASERVER1,CN=Computers,DC=reskit,DC=contoso,DC=com:
HOST/daserver1
HOST/daserver1.reskit.contoso.com
Example 2: Reset default registered SPNs
        setspn -r daserver1
Registering ServicePrincipalNames for CN=DASERVER1,CN=Computers,DC=reskit,DC=contoso,DC=com
HOST/daserver1.reskit.contoso.com
HOST/daserver1
Updated object
Example 3: Add a new SPN
        setspn -s http/daserver1.reskit.contoso.com daserver1
Registering ServicePrincipalNames for CN=DASERVER1,CN=Computers,DC=reskit,DC=contoso,DC=com
http/daserver1.reskit.contoso.com
Updated object
Example 4: Remove an SPN
        setspn -d http/daserver1.reskit.contoso.com daserver1
Unregistering ServicePrincipalNames for CN=DASERVER1,CN=Computers,DC=reskit,DC=contoso,DC=com
http/daserver1.reskit.contoso.com
Updated object
Posted by at No comments:

Wednesday, February 20, 2019

NATIVE AUDITING - Windows Server - Event Viewer

  1. Navigate to the file share, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:
  2. •    Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".
  3. Run gpedit.msc, create and edit new GPO → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy:
    •    Audit object access → Define → Success and Failures.
  4. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
    •    Audit File System → Define → Success and Failures
    •    Audit Handle Manipulation → Define → Success and Failures.
  5. Link new GPO to File Server and force the group policy update.
  6. Open Event viewer and search Security log for event ID 4656 with "File System" or "Removable Storage" task category and with "Accesses: DELETE" string. "Subject: Security ID" will show you who has deleted a file.

Report sample: 
Posted by at No comments:
Subscribe to: Posts (Atom)