Category: Management

Categories
Management Security

SonicWall App Control

App Control

To restrict inbound/outbound traffic of an application:

  1. Login to your SonicWall with admin privileges
  2. Navigate to the Policy tab
  3. Expand Security Services on the left-hand pane, click App Control
  4. Turn on the switch Enable App Control, Accept to apply changes
  5. Switch to the Signatures tab within App Control
  6. Filter the app you wish to alter access for, given the provided dropdowns
  7. Hover over the application, and click the edit symbol, select the criteria that best suits your needs

Categories
Management Security

Audit 4625

Individual machines world-wide are being hacked away at everday; we are generally only aware of those attempts that are successful. However, monitoring the failed attempts will help identify potential vulnerabilities.

In order to monitor Failed Login attempts, we can take advantage of the Windows Event 4625, which signifies that a login has failed to gain access to the pc. In combination with Event Scheduler, we can automate this process into a recurring alert that emails us as soon as a failed login is detected.

See the code and procedure below:

$EventId = 4625

$A = Get-WinEvent -MaxEvent 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId}
$Message = $A.Message
$EventID = $A.Id
$MachineName = $A.MachineName
$Source = $A.ProviderName

Get-WinEvent -MaxEvents 1 | foreach {
    		$sid = $_.userid;
    		if($sid -eq $null) { return; }
    		$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
    		$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
    		Write-Host $objUser.Value;
	}


$EmailFrom = "from@email.com"
$EmailTo = "to@email.com"
$Subject ="Alert From $MachineName"
$Body = "EventID: $EventID`nSource: $Source`nMachineName: $MachineName `nMessage: $Message"
$SMTPServer = "mail.domain.com"
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, PORT_NUM)
$SMTPClient.EnableSsl = $true
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential("username", "password");
$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)

How to configure and run Audit_2025 Script (Automatic Alerts for Failed Login):

  1. Log onto target machine, user privileges (admin/regular) doesn’t matter

Setup Script:

  1. Navigate to the local C: drive on the computer
  2. Create a .ps1 file named “Audit_4625”
  3. Open this file in the text editor of your choice
  4. Copy and paste the “Audit_4625” script from above
  5. Confirm to: email is YOUR_EMAIL
  6. Save the file

Setup PowerShell:

  1. In the start search field, search for either PowerShell or PowerShell ISE, right-click run as administrator
  2. In the PowerShell window, run the command Get-ExecutionPolicy, if output is Restricted move to sub-step
    1. If Execution Policy is restricted, run the following command:

Set-ExecutionPolicy RemoteSigned

  1. Run the Get command again to check status update

Setup Task:

  1. Navigate to Event Viewer
  2. In Event Viewer Left-Hand Pane, select Windows Logs > Security
  3. Filter events by ID: 4625 (id for failed login)
    1. If no events are logged, filter for ID: 4624 instead (id for successful login)
  4. Right-click any event with this ID, select Attach a task to this event, a Create Basic Task Wizard will popup
  5. Rename task Security_Microsoft-Windows-Security-Auditing_4625
    1. Optional add a description of the task “Automatic email alert when failed login attempt on some user”
  6. Click next, leave default event trigger settings
    1. If Event ID is 4624, that is ok for setup, we will change later in Task Scheduler
  7. Click next, select action as Start a Program
  8. Click next, on the Action sub-menu Start a Program, enter the file path for Windows Powershell in the Program/Script field

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

*easiest to search/browse for file*

  1. In the Add Arguments (optional) field, type the path to script Audit_4625 in the C: Drive – C:\Audit_4625.ps1
  2. Click next, verify information, select Finish

Setup Task Scheuler:

  1. Navigate to Task Scheduler
  2. In either Active Tasks or Event Viewer Tasks, locate the new Security_Microsoft-Windows-Security-Auditing_4625 task
  3. Double-click task and task properties window will popup
  4. In general tab, select radio button Run whether user is logged on or not, select check box Run with highest privileges
  5. Confirm configuration is correct for what your machine runs with
  6. On trigger tab, double-click trigger, change Event ID to 4625, click OK
  7. On conditions tab, uncheck boxes Start the task only if the computer is on AC power and Stop if the computer switches to battery power, click OK
  8. Confirm changes and select OK, type user password if prompted to confirm changes

Test Script:

  1. Log off of user, wait for login screen to appear
  2. Type in wrong password
  3. If configured correctly, YOUR_EMAIL will receive an email alert with details of the triggered event

Known Bugs:

  1. Due to Microsoft security, if failed login attempt of user with Microsoft account, alert will fire but will not resolved SID due to it being set to NULL
  2. Event may not trigger/script will throw error if no logs associated with the id are found
Categories
Development Management Security

How to Create Strong Passwords: A Comprehensive Guide

1. Password Length:

  • An ideal password should be between 12-14 characters in length

2. Use a Combination of Letters, Numbers, and Symbols:

  •  The greater the variation in characters, the harder it will be to brute-force your password
  • Use different numbers, letters, cases, and special characters like @#$^- to strengthen your password

3. Avoid Using Common Words or Phrases:

  • Many insecure passwords are too similar to every-day phrases
  • While they are easy to remember, they are easy to guess

4. Avoid Using Sequences or Patterns:

  • Don’t use repeatable sequences or patterns in your passwords
  • If a hacker is able to establish a pattern from one password, they can quickly guess all of your passwords that follow the same pattern

5. Avoid Using Personal Information:

  • Personal information is easily visible to the public via social media, account names, services, etc. thus, can be found by anyone if they know where to look

6. Use a Password Manager:

  • A password manager can help keep track of your passwords in a secure way, making it so you don’t have to memorize your passwords, thus you can make them as complex as you want
  • Most password managers include a password creation tool, as well as browser plugins to quickly grab your passwords
  • We recommend the password manager BitWarden

7. Regularly Update Your Passwords:

  • The best way to maintain security is to be proactive
  • If you think a password may have been leaked, the safest thing to do is change it
  • Don’t keep less secure passwords for more than a few months

8. Two-Factor Authentication (2FA):

  • If your account in question offers two-factor authentication, set it up
  • The use of a pin, phone-number, or recovery address greatly increases your security, while decreasing the number of successful break-ins

9. Use Unique Passwords for Each Account:

  • One of the worst things you can do is reuse passwords for multiple accounts
  • Likewise, you should not share passwords between people

10. Train Your Team:

  • If applied to a work environment, make sure your team is responsibly creating credentials
  • The best way to stay safe is to be educated

Follow these guidelines and you will be on your way to peace of mind and Fort Knox level security!

Want to create a strong password?

Try Passwordmonster