Archives mensuelles : décembre 2011

GPO tip for lazy admins

During my DirectAccess deployments projects, I have to deal with security group membership for computer accounts. Restarting my DirectAccess clients to update the computer Kerberos ticket takes times. Waiting for the tickets to be renewed takes too much time. There might have an alternate solution. Let’s have a look at the great tools of Mark RUSSINOVICH available at this location.

 

Let start with the initial state of my DirectAccess computer. The GPRESULT.EXE command result indicates that the computer is not already member of the “Lazy Admin group”. I don’t want to restart the computer!

0

 

First SysInternalTool : LOGONSESSIONS.EXE that provides information about sessions opened on the DirectAccess client computer. We can see that the computer account have a Kerberos Ticket. The local System account SID is : S-1-1-18 :

1

 

We now have the LogonID of the Computer account. Let’s have some additional information about this session with the KLIST.EXE command line.

2

 

We have Kerberos tickets negotiated by the computer account. Let’s purge these tickets.

3

 

An force the computer to obtain new Kerberos tickets with a simple GPUPDATE.EXE /FORCE command.

4

 

Does my computer negotiate new Kerberos tickets? Yes! Let’s look at  the GPRESULT.EXE results. And surprise, the computer is now member of a new security group and apply a new GPO.

5

 

It is simple by design. SysInternal Tools are best friends of the lazy admins.

 

BenoitS – Simple and Secure by design but Business compliant.

Techdays 2012, DirectAccess encore et encore

Cela devient une tradition. A chaque nouvelle édition des Techdays, une nouvelle session sur DirectAccess. Lors de l’édition 2011, nous nous étions attardé sur l’importance de l’approche projet (sans démo, pas taper, pas taper!).  Cette année, on va causer exploitation. Donc cette année, il y aura des démonstration de dépannage, sujet que je n’avais pas pu traiter en 2011.

 

Comme en 2011, venez nombreux, on vous attend. On a plein de choses à dire sur le sujet : Retour d’expérience sur DirectAccess, bonnes pratiques, dépannage (SEC2307)

 

Benoits – Simple and Secure by Design but business compliant.

DirectAccess Book is closed

We’ve just received an email from our publisher and our DirectAccess book will be available on the 9th of January 2012. This is the end of a long work started at the beginning of March 2011. 

Couverture

The book is not yet available but you can have more information about it from our editor web site. Thank you for all of us who supported us during this hard work. We hope you will appreciate this book.

 

BenoîtS – Simple and Secure by design but business compliant