To restrict an Active Directory Group to a single VPN Tunnel Group


Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET”

Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.

Continue reading “To restrict an Active Directory Group to a single VPN Tunnel Group”

Windows Domain Login Script

I don’t think I ever posted this before.  If you need a login script to map drives and network printers based on Windows domain group membership for users try the below.  Put it in a vbs file like login.vbs.  Edit “domainname” to be your Windows domain name, and edit the permission group names appropriately.  It also has example of removing existing drive mounts before trying to mount by group.

Continue reading “Windows Domain Login Script”

Scheduled MSBA Scans

The Microsoft Baseline Security Scanner comes with a Command Line Interface. So it is pretty easy make a bat file to schedule. You will need blat to email the notification if you want. I tried to make blat email a UNC or URL link to where the reports are saved but have not had luck. Put your list of targets to scan in the servers.txt file with one name per line.

rem ———- Set Variables
set MailTo1=””
set ServerList=g:\logs\servers.txt
set ArchivePath=g:\logs\LogArchive\MBSA
set ReportPath=%ArchivePath%
set MBSAPath=”C:\Program Files\Microsoft Baseline Security Analyzer 2\”
set uname=%username%

rem ———- Enter Logs folder and clear out temp files and old reports
del “%userprofile%\SecurityScans\*.mbsa”
del resultslist.txt

rem ———- Run MBSA Against Server List to Generate Reports
%MBSAPath%mbsacli /listfile %ServerList%

rem ———- archive scan
FOR /f “tokens=2-4 delims=/ ” %%G IN (‘DATE /T’) DO (
SET _mm=%%G
SET /A _dd=%%H
SET _yyyy=%%I

mkdir %ArchivePath%\%_yyyy%%_mm%%_dd%
copy “%userprofile%\SecurityScans\*.mbsa” %ArchivePath%\%_yyyy%%_mm%%_dd%\*.mbsa
dir /b %ArchivePath%\%_yyyy%%_mm%%_dd%\ > resultslist.txt

rem ———- use blat to email report
blat -to %MailTo1% -subject MBSA-Scan-Completed -sig resultslist.txt -body “To view results check files located at %ReportPath%\%_yyyy%%_mm%%_dd%\”

Windows Password Recovery

Every now and then on the Certified Computer Examiner mail list someone asks about recovering passwords in windows. It is easy to change them with a linux boot disk. But there are times when knowing the actually passwords is important. I wrote the below long time back for the In the Trenches podcast.


You have a pc or laptop running windows XP that you really need to know the administrator password for. Perhaps it is a production machine you do not have time to reload and knowing the existing password will give you a hint on who may have changed the password.

Software Needed:

Hardware Needed:

Preparing Ahead of Time:

  • Sam Inside is a commercial package but you can download an eval.
    • We need this because it can import both the SAM and SYSTEM file to extract the password hashes and then export into a pwdump format that Cain can read.
  • Cain and Abel will allow us to recover the lost passwords using Rainbow Tables.
  • You can download already computed Rainbow Tables from the Shmoo group via bittorrent.
    • I keep all my rainbow tables on an external USB2-Firewire Drive.
    • For the larger table types like lanman symbol14 alphanumeric keep the tables divided into subfolders for each “disc” so it is in groups of about five files. We will discuss why in a minute.

Time to Recover a Password

Grab the hashes and use Sam Inside to recover pwdump formatted file.

  • Take the hard drive out of the source system.
    • Place the hard drive into the usb2-firewire carrier and attach to your system.
    • We need two files for Sam Inside to help us.
      • c:\windows\system32\config
        • SAM and SYSTEM registry files – Save these to your local hard drive.
      • Open up Sam Inside and choose File-Import from SAM and SYSTEM registry files.
      • Now choose File-Export as pwdump format and save it to the work folder on your system

Pull the hashes into Cain and Recover the Password

  • Open up cain and choose the Cracker Tab
    • Choose LM and NTLM hashes from tree in left pane.
    • Click the + Icon, choose import from text or sam file. Browse to the file you exported from Sam Inside
    • Select the hashes now showing in the right pane. Right click and choose Cryptanalysis Attack LM
    • Click Add Table on the dialog that comes up. Browse and add the first group of five tables. Then click Start.
    • If it does not find all the hashes then click Remove All and repeat adding the next five tables. Do this until you have used all your tables or the password is recovered.

There you go. Most passwords will be found this way without days or longer of brute force attacks. Keep in mind you are limited by the rainbow table character set you choose to use.

Counter Measures

Keep in mind this recovery process can be misused by malicious people. So if they have physical access to your system you can see your passwords are short lived. You should check out a previous segment on Laptop Hard Drive passwords on the wiki.