When it comes to securing your perimeter, you already do a great deal to comply with regulators.  You understand the risk of an attack on your network from malicious code on the Internet.  You have a firewall with intrusion detection.  You have gateway anti-virus and you run vulnerability assessments on your external IP addresses.

But what are you doing to ensure your internal network is secure?  You may not realize it, but malicious code can easily bypass your external defenses.  Trusted third-party connections, laptops that have been connected to a foreign network, employee software downloads or visits to malicious websites can compromise your internal network.  Once on your network, malicious code can:

• Flood your network with traffic, paralyzing your business;
• Read, transmit, modify or delete data;
• Damage or erase operating systems; or
• Supply hackers with information to break through your external defenses.

Using the free Quest powershell commands for active directory, we can do things like create multiple security groups based on a list of names in a .csv file.  This can be a huge time saver if you regularly create groups/users in large batches.

First download the .msi from here, http://www.quest.com/powershell/activeroles-server.aspx and then install.

Next create your csv file with the names of the groups you want to create, the very first line identifies the column to pull the group name from later on.

---

Here's the OU where I'm going to create the security groups.

Here's the code and a screenshot of what you should see if it runs successfully.

Please note, this code is all one line, but the site will probably wrap the text.

import-csv C:\newgroups_test.csv | %{new-qadgroup -name $_.'newgroup' -ParentContainer 'OU=QAD_Test,OU=SJB_Groups,DC=Stevenjbradbury,DC=com' -GroupScope 'global' -samaccountname $_.'newgroup'}

and here's the new groups

This is just a very basic example of what can be done with the Quest Powershell commands, you can find the admin guide here

Ever wanted to get an email notification when a user locks out their account?  Maybe not, but it is a good security practice.

Even if you have a good account lockout policy setup in group policy, something like this:

In theory, someone could still come back every 4 hours and make another 5 login attempts.  Would you ever know if the same user account kept getting locked out over and over every 5 hours?

With Server 2008 it's really easy to setup a basic notification to alert you when an account is locked out, no third party software required, just the task scheduler on your domain controller...

---

 

 

On your domain controller, open up the task scheduler and create a new task.  Be sure to check the "run whether user is logged on or not" and provide appropriate credentials for the task to use.

Then move over to the Triggers tab and create a new Trigger.  You want this task to begin whenever Event ID 4740 is logged in the security log.

Now move over to the Action tab.

The conditions and settings tabs can usually be left at the default settings.  Now go ahead and test it.

You'll find only one problem with this little trick, it doesn't tell you who locked themselves out!  You still need to go into the event log, look for event 4740 and read the message to find out who it was, or wait for that user to call in a ticket.  There is a solution to this, using powershell scripting, and I'll show you how in my next article.

In part 1 of this article I showed you how to setup a task that sends an email notification when a user locks out their Active Directory account. The shortfall was that it only notified you of an account being locked out, but didn't tell you WHO was locked out. It's easy enough to figure out which user it was if you go to the security log on your domain controller, filter out all event 4740's and read the event details. But this is an extra step and a little annoying, so we're going to improve the notification with a powershell script....

Please note: This will only work with powershell 2.0! This is loaded by default in 2008 R2 and windows 7, if you have 2003/2008 make sure you're up to date.  http://support.microsoft.com/kb/968929 

First step is to take the below code, copy and paste it into notepad and save it as "something".ps1

$30MinutesAgo = [DateTime]::Now.AddMinutes(-30)
$messageParameters = @{
Subject = "User Account Locked"
Body = Get-EventLog "Security" |
Where {$30MinutesAgo -le $_.TimeWritten -and $_.eventid -eq 4740} |
Format-List |
Out-String
From = " user_lockout@domain.com "
To = " admin@domain.com "
SmtpServer = "mailserver.domain.com"
}
Send-MailMessage @messageParametersThis e-mail address is being protected from spambots. You need JavaScript enabled to view it This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Make sure you modify the From, To and SmtpServer values to your own.  You can also change how far back in the log it looks for this particular event by modifying the first line.

The next step is to go back into your task created in part 1 of this article and modify it.  You're going to go to the action tab and change the action from "send an email" to "start a program" as shown below.  Put "powershell" in the program/script field, and add the argument shown, but with your own path, to the .ps1 file we created earlier.

Now give it a test, you should see something like the screenshot below end up in your mailbox.

I am definitely not a powershell scripting guru, I'm sure there are other ways out there to do this same task, maybe even better ways.  But this one works for me, for now.  If anyone has ideas/suggestions for improving this please let me know!