Use Powershell to Disable Computer and User accounts in Active Directory over XXX days

As a consultant for clients one common problem I come across is IT doing a poor job at managing old objects in Active Directory.  So generally I have to do that cleanup.  Here are some simple Powershell commands that I find help disable these objects for security reasons.  Once you have disabled them and let changes soak for a bit you can easily find the disabled accounts and delete them.

 

OpenPowershell as an Administrator

 

Import the ActiveDirectory Module for PowerShell.
Import-Module activedirectory

 

Set the number of days you want to check for inactivity, in my examples I will use 120 days.
$datecutoff = (Get-Date).AddDays(-120)

 

To Simply List those that have not been logged into in last 120 days (or # of days defined above)

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

 

To test the process but not execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false –whatif

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false –whatif

 

Preform/Execute the process and execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false


Hope anyone who finds this article finds it as useful as the commands have been for me.

 

Powershell IP Changes Static/DHCP

Recently, a Windows 10 computer I was working on would not allow me to change any network setting from the GUI.  I needed to change to a static IP address from DHCP to do some maintenance.  I also needed to add a secondary IP address.  How did I do this?  The step are below and may come in handy to someone else.

Set IP Address to Static from Powershell

  1. Disable DHCP
    Open PowerShell
    Get-NetAdapter


    (note) review the output from the above command to get the Interface Name
    Get-NetAdapter –Name Ethernet
    Set-NetIPInterface -DHCP Disable

  2. Set IP Address

    New-NetIPAddress -AddressFamily IPv4 –InterfaceAlias “Ethernet” -IPAddress 192.168.1.100 -PrefixLength 24 -Type Unicast -DefaultGateway 192.168.1.1

    (note) -IPAddress 192.168.1.100 change to the IP Address you want to assign

    (note) –PrefixLength is the Mask -24 is 255.255.255.0

    (note) –DefaultGateway 192.168.1.1 change to the gateway for your network
    Set Static DNS Servers

    Primary:               netsh interface ip add dns name="Ethernet" addr=192.168.1.10 index=1
    Secondary:         netsh interface ip add dns name="Ethernet" addr=192.168.1.11 index=2
    Tertiary:               netsh interface ip add dns name="Ethernet" addr=8.8.8.8 index=3

  3. Add Secondary IP Address (If you want to add another IP Address to your interface)
    netsh interface ipv4 add address name=Ethernet 192.168.2.100 mask=255.255.255.0

Set DHCP from Powershell

  1. Enable DHCP

    Get-NetAdapter -Name Ethernet
    Set-NetIPInterface -DHCP Enable
    netsh interface ip set dns name="Ethernet" dhcp

CryptoWall and its Wreaking Havoc Impacts!

Emerging next-generation threats are everywhere in this digital age.  In the late 90’s we were protecting our systems against unwanted access to our systems, and that’s still the case today.  It’s a never-ending battle that has Security professionals battling “the BAD guys” and the “the BAD guys” who are always 3 steps ahead.  While the complexity continues to rise at all levels in technology so does the knowledge of these systems.  The landscape changes every few minutes thus security professionals can never catch up. 

Enter the world of Ransomware.  Ransomware makes your data unusable and if you want to use it again, PAY ME!  With good backups this world it an inconvenience and disruptive.  Without good backups, welcome to a nightmare.  There are numerous horror stories and likely some “Out of Business” signs as a result of Ransomware incidents like CryptoWall infections.  If you have not been impacted by an infection like this, you most likely know someone who has. 

What is CryptoWall?

CryptoWall is a Trojan virus (Ransomware) that performs encryption on files and requires a ransom to decrypt the files it has encrypted.  The virus was introduced in April of last year and continues to be updated.  CryptoWall 3.0 is the latest version at the time of this article.  It targets all versions of Windows.  CryptoWall generally comes in via emails with attachments or links, the attachments are usually ZIP files that contain PDF files which are actually executables.  These files will commonly be presented as invoices, bills, complaints, PO’s, or some other type of business related communication. 

How do I become infected with CryptoWall?

The typical ways to become infected would be through an email message or through an infected website.  The email message would contain a link or an attachment which would require clicking the link or opening the attachment.  A malicious website will execute against outdated browser addins (Adobe Flash, Java, etc) to infect the system.   

How can I protect against CryptoWall?

There are a number of preventive measures that can be employed.  Again there is no way to prevent an infection; short of disconnecting from the internet grid permanently, but you can reduce the risk by training end users, implementing safe internet surfing practices, leveraging your gateway firewall security appliance (SonicWALL, FortiNET, etc), keeping antivirus updated on all devices, deploying a malware scanner and keep it updated on all devices, using DNS filtering services (OpenDNS, Dyn, etc) and deploying software restriction policies on all end user desktops including Terminal Servers and Citrix Servers.

What are the impacts of these methods of protection?

As mitigations are deployed to reduce the risk there is almost always an impact to end users.  These impacts can be reduced performance, additional steps to do a task, or the inability to perform a task.  When deploying a mitigation it’s important to communicate with end users so they are aware of the potential impacts and what steps they should take when they are impacted. 

Examples of Impacts and Remediation

Implementing Stricter Anti-Virus Protection
Problem: User(s) is not able to launch a program or a program is slow.
Solution: Add exclusions to the antivirus program to allow and/or not scan that program

Deploying stricter Firewall Security Rules (Content Filtering, Application Controls, Gateway AntiVirus, etc)
Problem:
User(s) are not able to access a business website or public cloud application
Solution: Add a whitelist or exception to the firewall

Deploying Software Restrictions Policy Group Policy
Problem: User is not able to launch an application and is alerted “Your system administration has blocked this program. For more information, contact your system administrator”
Solution: If this is a valid application the systems administrator will add the program to allow it to run

Implementing DNS Threat Protection and Controls
Problem: User is not able to access business website or cloud based application “Site has been blocked” or “Page cannot be displayed in browser”
Solution: Add the site to the whitelist on the DNS Controls Software, Site, or System

Additional Information on CryptoWall

Source: http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/
Source: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
Source: http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99
Source: http://news.techworld.com/security/3582363/disaster-as-cryptowall-encrypts-us-firms-entire-server-installation/
Source: http://www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html
Source: http://blogs.cisco.com/security/talos/cryptowall-3-0