--- tags: ccdc, qualifiers --- # Securing CyberPatriot Windows Hosts (Windows Vista/Server 2K8 and Above) > Note: It is recommended to solve the forensic Questions first! However, some answers may be not be easy to find without fixing some mis-configurations. Please use `gpresult` before you do anything. > Checkout the [Checklist](https://docs.google.com/spreadsheets/d/1odJzfQegfVDtNZOgpi4kNYGmIQ9BWY4ACRa4Nsr7Le0/edit#gid=1688897548)! **\* Sections made after the wildcard event are denoted by "*".** > (Rayce) All of the machines from cyberpatriot (and cybersentinel) are in my possession. You will find unregistered copies of the Round 3 Cybersentinel machines on ccdcmoose. The Windows 10 image was the most problematic due to a user policy that disabled security settings in the Computer scope. ## Initial Overview **Open command prompt as an administrator** #### *Preserve Current Policy Misconfigurations ```cmd gpresult /z >> %windir%\detailedpolicies.txt ``` > (Rayce) I used to run `gpresult /h policies.html`, however, the export would always be flawed in browsers. Running the command with "/z" will produce a more verbose policy output representation of the "All Settings" list shown in `gpedit`. It includes misconfigured registry keys and other details. *Please review* the **two** "All Settings" categories in `gpedit` under both the "Computer" and "Users" scopes. This area will provide an explanation regarding each defined registry key policy. > >The policy in question which caused the most trouble is a obscure policy that disables (and hides) the scope of the Computer Configuration's **Security Settings** policies. >The registry key of the policy that disables this setting is located in: > >The path of the policy that disables this setting is located in: >`\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in Extensions\Security Settings` >Set this policy to "Not Configured" to restore the default configuration of this setting. > >I noticed an interesting phenomenon with registry keys. Some registry keys are not reflective whatsoever in group policy even though those particular settings are applied. If command prompt or task manager was disabled via a direct modification of the registry in `regedit`, you will not see this particular policy applied in group policy. I assume this should be changed directly in the registry instead. CyberPatriot may make some registry keys read-only to prevent easy modification by the administrator. #### *Using the `reg` command to remove bad keys: ```cmd reg delete <key> /v <data> /f reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f ``` > Note: CURRENT_USER HIVE keys must be altered using an elevated administrator shell (keys must not be altered as the NT AUTHORITY/SYSTEM user) #### * Alternatively: Using `reg` to alter keys ```cmd reg add <key> /v <data> /t REG_DWORD /d <value> /f reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "0" /f ``` > Note: CURRENT_USER HIVE keys must be altered using an elevated administrator shell (keys must not be altered as the NT AUTHORITY/SYSTEM user) #### *Query Keys using PowerShell ```cmd Get-ItemProperty -Path '<key>' -name "<data>" Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" ``` #### *Common Manually Tampered Registry Keys Some registry keys will override policies created in `gpedit.msc`. Such keys must be changed in `regedit` or with the CLI `reg`command. | Key | Data | Recommended Value | |:--------------------------------------------------------------------------- | -------------- | ----------------- | | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | DisableCMD | Delete or 0 | | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr | Delete or 0 | | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoControlPanel | Delete or 0 | | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection | DisableRealTimeMonitoring | Delete or 0 | | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\ | Delete | > If permissions are an issue for registry keys, first attempt modifying the key as the NT AUTHORITY/SYSTEM user using PSEXEC. The competition organizers likely modified the keys as SYSTEM. > > Alternatively, add the "Administrators" group as an owner. The Windows Defender registry key and each of its subfolders should maintain inheritance. Make sure to replace all child objects in each subfolder in order to access the necessary key. Test the creation of keys in each registry folder layer (e.g. attempt to create keys in Windows Defender. If possible, attempt to create a key in Exclusions. If possible, attempt to create a key in paths. If possible, remove the `C:\` exclusion) > > If policies are not sticking, consider making the ACLs of the respective policy registry keys read only for all groups/users after setting them. #### *UVA's Windows Strategy (Rayce) Backups of UVA's most recent strategy (post-winning the NCCDC) are stored on the Google Drive in the UAA CCDC shared folder. Please contact me if you need access to these backups. UVA's strategy for Cyberpatriot mostly consists of the usual checklist; however, they were able to automate much of this checklist using a custom-developed application written by UVA called [BLUESPAWN](https://github.com/ION28/BLUESPAWN/). Similar to the Microsoft Security Compliance Toolkit, it identifies poorly implemented policies and possible security risks/mitigations. ### Fixing Mis-configurations > The following commands cannot be executed in powershell. If CMD is disabled, correct the policy in regedit or gpedit. ```cmd sc config mpssvc start= auto sc start mpssvc sc config WinDefend start= auto # This service may be tampered with sc start WinDefend # Start manually if it fails sc config EventLog start= auto sc start EventLog sc config wuauserv start= auto sc start wuauserv sc config WSearch start= auto sc start WSearch sc config snmptrap start= disabled sc stop snmptrap sc config remoteregistry start= disabled sc stop remoteregistry sc config winrm start= disabled sc stop winrm sc config rpclocator start= disabled sc stop rpclocator netsh advfirewall reset ncpa.cpl # Right-click the interface, properties, uncheck ipv6 ``` #### If beyond repair, the following commands will remove all bad policies from the system. ```cmd rd /s /q %windir%\System32\GroupPolicy rd /s /q "%WinDir%\System32\GroupPolicyUsers" gpupdate /force type %windir%\inf\defltbase.inf | findstr /v “__Members” >> default.inf secedit /configure /db leedles.sdb /cfg default.inf gpupdate /force ``` #### Is your server an active directory domain controller? Run the following to restore both the default domain controller policy and default domain policy ```cmd dcgpofix /ignoreschema gpupdate /force ``` #### Enable All Audit Policies ```cmd auditpol.exe /set /category:* /failure:enable /success:enable ``` #### Make Hidden/System files and folders visible in Powershell or CMD (admin): > Possibly faster to enable in Windows Explorer ```cmd reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 1 /f ``` #### Identify Malicious Tasks, then Backup/Remove All Tasks Malicous tasks are generally created recently or specifically target a script/executable. Such tasks can be identified like so in command prompt (file may be corrupted in powershell): ```cmd schtasks /query /v /fo list > C:\Users\schtasksBackup.txt findstr /i "C:\" C:\Users\schtasksBackup.txt notepad C:\Users\schtasksBackup.txt ``` Search for custom authors or strings that begin with a filepath. > e.g searching for malicious tasks using custom authors on machine hostname "UA" or "C:\" > >Search "UA\\" or "C:\\" in notepad Examples of malicious tasks (most red team persistence will start at login and/or run every few minutes): ```cmd Folder: \ HostName: MIGHT TaskName: \tini Next Run Time: N/A Status: Running Logon Mode: Interactive/Background Last Run Time: 1/29/2021 4:56:05 PM Last Result: 267009 Author: UA\midoriya Task To Run: C:\Logs\tini.exe Start In: N/A Comment: N/A Scheduled Task State: Enabled Idle Time: Disabled Power Management: Stop On Battery Mode, No Start On Batteries Run As User: SYSTEM Delete Task If Not Rescheduled: Disabled Stop Task If Runs X Hours and X Mins: 72:00:00 Schedule: Scheduling data is not available in this format. Schedule Type: At logon time Start Time: N/A Start Date: N/A End Date: N/A Days: N/A Months: N/A Repeat: Every: N/A Repeat: Until: Time: N/A Repeat: Until: Duration: N/A Repeat: Stop If Still Running: N/A Folder: \Microsoft\Windows\Windows Defender HostName: MIGHT TaskName: \Microsoft\Windows\Windows Defender\disable_defend Next Run Time: N/A Status: Ready Logon Mode: Interactive/Background Last Run Time: 1/30/2021 11:01:06 AM Last Result: 0 Author: UA\midoriya Task To Run: "C:\Windows\System32\disable _defend.bat" Start In: N/A Comment: N/A Scheduled Task State: Enabled Idle Time: Disabled Power Management: Stop On Battery Mode, No Start On Batteries Run As User: SYSTEM Delete Task If Not Rescheduled: Disabled Stop Task If Runs X Hours and X Mins: 72:00:00 Schedule: Scheduling data is not available in this format. Schedule Type: At logon time Start Time: N/A Start Date: N/A End Date: N/A Days: N/A Months: N/A Repeat: Every: N/A Repeat: Until: Time: N/A Repeat: Until: Duration: N/A Repeat: Stop If Still Running: N/A Folder: \Microsoft\Windows\Windows Error Reporting HostName: MIGHT TaskName: \Microsoft\Windows\Windows Error Reporting\bd Next Run Time: N/A Status: Running Logon Mode: Interactive/Background Last Run Time: 1/30/2021 10:56:06 AM Last Result: -2147020576 Author: UA\midoriya Task To Run: C:\Users\midoriya\AppData\Roaming\bd.exe Start In: N/A Comment: N/A Scheduled Task State: Enabled Idle Time: Disabled Power Management: Stop On Battery Mode, No Start On Batteries Run As User: SYSTEM Delete Task If Not Rescheduled: Disabled Stop Task If Runs X Hours and X Mins: 72:00:00 Schedule: Scheduling data is not available in this format. Schedule Type: At logon time Start Time: N/A Start Date: N/A End Date: N/A Days: N/A Months: N/A Repeat: Every: N/A Repeat: Until: Time: N/A Repeat: Until: Duration: N/A Repeat: Stop If Still Running: N/A ``` Scheduled tasks can also be analyzed here: ```cmd dir /o-d C:\Windows\System32\Tasks\Microsoft\Windows | more ``` > There is a fair possibility that the organizers created a scheduled task that will automatically import the previous bad policies with LGPO. **IMPORTANT:** Before deleting scheduled tasks, analyze and delete malicious script or exe first. > Specific point checks may check if malicious file or script exists. > >Note: Script/Exe may have hidden or system protected flags enabled. **DANGEROUS:** Deleting all scheduled Tasks: ```cmd for /f "tokens=1,* delims= " %a in ('schtasks /query /fo LIST /v ^| findstr "TaskName"') do schtasks /delete /tn "%b" /f ``` > It is recommended to delete scheduled tasks individually in task scheduler or using the `schtasks` cmdlet ### Fixing Action Center (Vista & 2008 R2 and above) > Enable these manually on Server 2008 1. Open `control panel` (this can be typed into cmd). 2. Go to *Action Center* 3. *Change Account Center Settings* a. Check everything 4. Restore Default/Recommended Settings and turn on all Security Panel options a. Enable Windows SmartScreen b. Enable automatic windows update c. Enable Network firewall d. Restore default network settings e. Put UAC on recommended settings or higher (3 or higher) ### Record and Remove Network Shares >DO NOT DELETE SHARES on SMB/File Servers like Active Directory >Please refer to your readme for critical services. ```cmd wmic share wmic share delete ``` If you are a SMB Server, remove unncessary shares manually. ```cmd wmic share wmic share ADMIN$ delete wmic share C$ delete wmic share <prohibited share> delete ``` > Investigate deleted shares. Remove files that shouldn't belong. ### Change passwords #### In an administrator cmd prompt: ```cmd set pwd=”qwer1234QWER!@#$” notepad pwds.bat ``` #### in notepad, write the script: ```shell= @echo off for /f %%i in ('wmic useraccount get name ^| findstr /r /v /i "^$ Name"') do net user %%i %pwd% ``` #### Run the script: ```cmd pwds.bat ``` #### Also add this: ```cmd wmic useraccount set PasswordExpires=true wmic useraccount set PasswordChangeable=true ``` ### Import DoD SecEdit STIG Configurations > **Note: Screenshot your current points before moving forward** #### Possible Clients: | Windows 7 | Windows 8/8.1 | Windows 10 | |:-----------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------:| | [Sunset STIG](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Windows_7_V1R30_STIG.zip) | [GPO Pack](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_STIG_GPO_Package_February_2020.zip) | [GPO Pack](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_STIG_GPO_Package_February_2020.zip) | #### Possible Servers: > Note: Unless you are an Active Directory Domain Controller, install the Member Server (MS) GPO's or STIGs | 2008 (Non-R2) | 2008 (R2) | 2012 (Non-R2) | 2012 (R2) | 2016 | 2019 | |:------------------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------:| | [STIG Library](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SRG-STIG_Library_2020_01v4.zip) | [STIG Library](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SRG-STIG_Library_2020_01v4.zip) | [STIG Library](https://send.firefox.com/download/24c441e2458a8404/#4t9lZBJU5f5YgRTv_iPUxQ) | [GPO Pack](https://send.firefox.com/download/24c441e2458a8404/#4t9lZBJU5f5YgRTv_iPUxQ) | [GPO Pack](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_STIG_GPO_Package_February_2020.zip) | [GPO Pack](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_STIG_GPO_Package_February_2020.zip) | #### GPO Pack Installation: 1. Download [LGPO.zip](https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip) > https://www.microsoft.com/en-us/download/details.aspx?id=55319 2. Export lgpo.exe to C:\STIG\ 3. Export relevant GPO GUID folders to C:\STIG\ > e.g. C:\STIG\\{1CF79D2C-7EF9-4B79-81DF-39E865439DB6} C:\STIG\UserSettingsL1\{44A16D69-5D67-453F-98FE-9880ADD6E7E3} 4. Install both GUID's in an administraive command prompt: ```cmd C:\STIG\lgpo.exe /g C:\{Actual Machine GUID} C:\STIG\lgpo.exe /g C:\{Actual User GUID} gpupdate auditpol.exe /set /category:* /failure:enable /success:enable ``` 5. **Rename** the Administrator user and Guest user to their appropriate names in `gpedit.msc` #### STIG Pack Installation: 1. Export U_<HOST>_Analyze_only_<Version>.inf 2. Rename Administrator and Guest users to their original names 3. Install stigs with secedit: ```cmd secedit /configure /db leedles.sdb /cfg U_<HOST>_Analyze_only_<Version>.inf gpupdate auditpol.exe /set /category:* /failure:enable /success:enable ``` 4. 5. **Rename** the Administrator user and Guest user to their appropriate names in `gpedit.msc` ### Requires Reboot > Admin user will no longer be able to login automatically. > Please make sure this user has their password set. Compare the first screenshot of your points with your points after the reboot. > May need to rerun the auditpol configuration from the beginning. ### Delete Unauthroized Users: #### Record Authorized users in a text file called `users.txt` and sort this file, then compare it with the list of authorized users. ```cmd sort users.txt wmic useraccount get name net user <username> /delete ``` #### Disable Users like Guest ```cmd net user Guest /active:no ``` #### Deleting Unauthorized Users in a loop (Verify all users in `delusers.txt` are bad) ```cmd for /f %i in ('type delusers.txt') do net user %i /delete ``` #### Remove bad administrators. ``` net localgroup administrators net localgroup administrators <username> /delete ``` #### Investigate User groups (Review unusual groups) > Scroll through user groups in `control userpasswords2` > Groups can be managed with `lusrmgr` ``` control userpasswords2 # Check "Users must enter a user name and password to use this computer" ``` >Groups to investigate: >Administrators >Enterprise Admins >Domain Admins >Guests >Backup Operators >Remote Desktop Users >Remote Management Users >WinRM Remote ### Add users or Groups that Should Exist > REFER TO THE DOCUMENTATION FOR VALID USERS/ADMINISTRATORS #### Create valid user ```cmd net user <valid user> * /add ``` #### Create Valid Group ```cmd net localgroup <valid group> /add ``` Add valid user to valid group: ```cmd net localgroup <valid group> <valid user> /add ``` ## Removing Services and Investigating Files ### Removing Windows Features: If on a Windows Server, remove unnecessary services and features from Server Manager > For example, an IIS Server does not require the FTP Publishing Feature to be enabled. Disable the FTP service for points. If on a Windows Client, utilize the optional features UI: > Turn off services like .NET Framework 4.5 (ASP.NET and TCP Port Sharing), SMB 1.0, Internet Information Services, Simple TCPIP services, Telnet, TFTP, Hyper-V, AD, etc ``` optionalfeatures.exe ``` Identifying unusual services in command prompt: ``` netstat -ano | findstr /i "listen" netstat -bano #Shows which applications are on what ports ``` ### Identify Suspiciously Automatic/Disabled/Running Services: Open the services manager with `services.msc` Locate suspicious services that you may have missed earlier. 1. Are there any services with no description? a. Remote Services Manager (RSMSS) is a backdoor. b. Mozilla Maintenance Servce has no description - likely a backdoor 2. Are there any suspicous processes with a description that is the same as the process name? a. `vmproc.exe` and `svchost.exe` might be RSMSS backdoors b. The real svchost's description is *Host Process for Windows Services* 2. Is Windows Update or Windows Defender on? a. Open Windows Defender from the `control panel` or run: b. `"C:\Program Files\Windows Defender\MSASCui.exe"` in cmd 3. Is Remote Desktop or TeamViewer still running and not disabled/uninstalled? > Remote Desktop can be disabled in `systemadvancedproperties` under the remote tab. ### Enumerate User Directories: **Remove all files containing user passwords and suspicious EXE binaries** Make Hidden/System files and folders visible in Powershell (admin): > Possibly faster to enable in Windows Explorer ``` reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 1 /f gps 'explorer' | stop-process ``` Open PowerShell as Administrator: > Printing all **normal** files to console in C:\Users ```powershell gci -recurse C:\Users | select fullname ``` > Saving record of user files to a text file and reviewing it ``` gci -recurse -attributes Hidden,System,Normal C:\Users | select fullname > userfiles.txt notepad userfiles.txt ``` If powershell is not installed, use CMD: ```cmd dir /s /b /a "C:/Users" >> userfiles.txt ``` Locating Prohibited media files (should be ran from C:\Users): ```cmd dir *.mp3 *.png *.tif *.jpg *.gif *.aif *.iff *.m3u *.m4a *.mid *.mpa *.ra *.wav *.wma *.3g2 *.3gp *.asf *.asx *.avi *.flv *.m4v *.mov *.mp4 *.mpg *.rm *.srt *.swf *.vob *.wmv /s /b /a h > mediafiles.txt ``` Locating Specific File `txt` extension (Recursively searches current directory): ```cmd dir *.txt /s /b /a h > mediafiles.txt ``` Locating portable executables (`exe` extension) in user directories > Remove any suspicious executables you did not download yourself ```cmd cd C:\Users dir *.exe /s /b /a h > mediafiles.txt ``` ### Uninstalling Programs or Suspicious Software From the `control panel`, visit programs and features. >Refer to the README for non-prohibited software e.g. Wireshark, nmap, Radio Players, CCleaner, TeamViewer, tonido, etc Investigate the following directories outside of C:\Users: * `C:\` * `C:\Program Files\` * `C:\Program Files (x86)\` * `C:\Program Data\` * `C:\Users\<user>\appdata\roaming\microsoft\windows\start menu\programs\startup\` * `C:\Windows\Temp` < -- Potential malicious executables * `C:\Windows\Globalization\Sorting` < -- Remove Genie.exe worm * `C:\Windows\Help` * `C:\Users\<user>\appdata\roaming\file.txt` < -- An exe file being copied to a start-up directory as a service or task (remove any/all instances of `file.txt`) #### Investigate Using Everything (easy-to-use indexer) * [Download from voidtools](https://www.voidtools.com/Everything-1.4.1.969.x86.zip) * Search for executables ## SysInternals Suite Visit the SysInternals page: http://live.sysinternals.com/ ### Investigate Start-up items 1. Download [autoruns.exe](http://live.sysinternals.com/Autoruns.exe) and run-as Administrator 2. Go to options --> Scan Options --> Checkmark: a. Verify Code Signatures b. Check Virus Total.com c. Submit Unknown Images 3. Review obvious binaries with multiple virus total flags. a. Uncheck (and delete) any supicious startup items. b. Look for viruses, suspicous `.bat` files, unverified applications, etc ### Investigate Running Applications 1. Download [procexp.exe](http://live.sysinternals.com/procexp.exe) and run-as Administrator 2. Right-click column area --> Select Columns -> Process Performance Checkmark: a. Process Timelne 3. Go to options --> Checkmark: a. Verify Image Signatures b. Check VirusTotal.com c. Submit unknown executables 4. Sort different categories (VirusTotal, Verified Signer, Process Timeline) and ssuspend suspicious files. a. Find where files/viruses originate. b. Remove backdoors. c. Watch for spawning processes ## Updates ### Non-Prohibited Applications Update all software in README. Most installed software will be 32-bit (x86). > Notepad++, jedit, Firefox, Geany, Putty ### Windows Updates Installing updates may take an eternity. Consider installing just service packs. | Windows 7 |Server 2008 | Server 2008 R2 | | --------------------------------------------------------------------------------- |:---------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------:| | [Service Pack 1](https://www.catalog.update.microsoft.com/Search.aspx?q=KB976932) | [Service Pack 2](https://www.catalog.update.microsoft.com/Search.aspx?q=KB948465) | [Service Pack 1](https://www.catalog.update.microsoft.com/Search.aspx?q=KB976932) | | [Conven. Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=3125574) | | [Conven. Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=3125574) | ## Miscellaneous things #### Deleting all inbound rules on clients might score you points ```cmd netsh advfirewall firewall delete rule name=all ``` #### Disable SMBv1 on Sever 2008 ```cmd sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v SMB1 /t REG_DWORD /d 0 /f ``` #### If you run `sethc.exe`, does cmd or anything else open instead of sticky keys? If so, it's a backdoor. > This can be fixed by unchecking sethc.exe in Sysinternal AutoRuns. #### Enable UAC (Default Settings or higher) #### For Windows Servers, turn on "Internet Explorer Enhanced Security Configuration" for Administrators and Users #### Enable Internet Explorer Smart Filter #### Turn on Internet Explorer Protected Mode #### Restore IE Security to the default level under Internet, Local intranet, trusted sites, and restricted sites. #### Turn on IE Popup Blocker #### Look into microsoft security essentials #### Start and Enable the Adobe Acrobat Update service
Last changed by  
UAA CSC
UAA Cyber Security Club
1085

Read more

Untitled

#include <stdio.h> int main() { int i; for (i = 0; i < 10; i++) { puts("Hello, World!"); } } Directories (not case-sensitive)

4/28/2021
Update website user passwords

obtain a list of users find user table in database can run (mysql) query from terminal and write to file like: mysql -u root -p database_name -e "use database_name; select username_field from user_table_name" > users determine hashing algorithm and number of hash rounds used for user passwords common hash algos: $1$ | MD5

3/31/2021
HTTPS migration

verify openssl installed openssl version generate certificate and key openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt allow https for firewall iptables iptables -I INPUT -p tcp --dport 443 -j ACCEPT

3/31/2021
Linux Database Migration

Note: most values/variables with _ (underscores) are not literal and will need to be changed to an appropriate literal value Determine relevent database in DBMS mysql: SHOW DATABASES; Dump database to file db.sql (example, use a meaningful name) For SQL databases:

3/31/2021
Read more from UAA CSC
Published on HackMD