Passwords: Ending an era…

Passwords: Ending an era…

As I think back to “the old days” in the authentication world, we’ve come a long way; or have we?  In the early 90’s I ran a BBS, who knows what that is?  I required users to connect with a username and password of their choice.  Sounds like what we do today.  While login names and passwords have become increasingly complex the process has not changed.  Tell me, who you are and I will let you in!  This is a great strategy, actually it’s not.  There are millions if not billions of login credentials stolen annually and the majority of data breaches involve stolen credentials.  NY Times reports in August 2014 “Russian Hackers Amass Over a Billion Internet Passwords” and InformationWeek DarkReading reports in April 2014 “Stolen Passwords Used In Most Data Breaches”.  In the technology world we live in today, a username and password by itself is not enough, I repeat, a username and password by itself is not enough.  Have you been or known someone who’s been hacked?  We all do.  Simple steps can reduce the chances drastically for both businesses and personally.

  1. Use multi-factor authentication

    1. What is multi-factor authentication?  Wikipedia says; Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

    2. Many sites already offer multi-factor authentication.  Turn this feature on.  If you are a business owner add this to access your business resources.

      1. Banks – usually required

      2. Facebook – optional

      3. Google – optional

      4. Amazon – optional

    3. Reduce the complexity and time between password changes.

      1. Change the password requirements to be less complex and less characters required after adding addition factor to the authentication process.

      2. Reduce the frequency between password changes.  If the policy is currently 90 days perhaps 180 days is now acceptable after adding addition factor to the authentication process.

  2. Close access to resources not secured by multi-factor authentication

    1. Shutdown access from outside your network to resources inside your network which are not secured with multi-factor authentication.

    2. Provide a way to access those resources once inside a resource (virtual desktop, published application, etc) within the boundaries of your network.

That’s great Sean, but how do I accomplish the recommendations you have made?  To start with login to each of the sites you use and see if they offer multi-factor authentication.  Usually this will be something like; send me an email or text before allowing access.  If you are a business look at products like Duo, AuthAnvil, Azure, and others to add this functionally to your infrastructure.  The main idea is to determine what needs to be secured, then you can determine the best multi-factor product to secure it.

In conclusion, while all of these technologies have been in existence for many years the viability is now such all sizes of business should adopt.  The deployment of multi-factor products has simplified and with smartphones end user acceptance and adoption is very high.

Windows 10 KMS Activation against Windows Server 2012 R2 KMS Server

Note: This document assumes the Windows Server 2012 R2 is running the VA Services Role (KMS Server) if it is not install the Role and follow these steps.

Update Windows 2012 R2 to support activating Windows 10

Call Microsoft Volume Licensing to get Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 Key

Support Center Contact Info
Country:  United States
Toll Free Number(s): (866) 230-0560
Hours of Operation: 5 AM – 5 PMPST Mon - Fri
Languages Supported: English and French

  1. Login to VLSC

  2. In VLSC - click License, then Relationship Summary.

  3. Now click the License ID of your current Active license.

  4. Once the page changes, click Product Keys.

  5. Scroll down the list and look for "Windows Srv 2012R2 DataCtr/Std KMS for Windows 10". Use this key.

Add the new key you obtained by calling Microsoft Volume Licensing

  1. Open an elevated command prompt (admin)

    1. slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX (replace with your Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 KMS Key obtained above)

    2. slmgr /ato

    3. slmgr /dlv

    4. Add the Windows 10 KMS Client Key to your clients:

Windows 10 Professional



Windows 10 Professional N



Windows 10 Enterprise



Windows 10 Enterprise N



Windows 10 Education



Windows 10 Education N



Windows 10 Enterprise 2015 LTSB



Windows 10 Enterprise 2015 LTSB N



Use Powershell to Disable Computer and User accounts in Active Directory over XXX days

As a consultant for clients one common problem I come across is IT doing a poor job at managing old objects in Active Directory.  So generally I have to do that cleanup.  Here are some simple Powershell commands that I find help disable these objects for security reasons.  Once you have disabled them and let changes soak for a bit you can easily find the disabled accounts and delete them.


OpenPowershell as an Administrator


Import the ActiveDirectory Module for PowerShell.
Import-Module activedirectory


Set the number of days you want to check for inactivity, in my examples I will use 120 days.
$datecutoff = (Get-Date).AddDays(-120)


To Simply List those that have not been logged into in last 120 days (or # of days defined above)


Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize


Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize


To test the process but not execute the actual disable using the above criteria.


Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false –whatif


Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false –whatif


Preform/Execute the process and execute the actual disable using the above criteria.


Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false


Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false

Hope anyone who finds this article finds it as useful as the commands have been for me.


Powershell IP Changes Static/DHCP

Recently, a Windows 10 computer I was working on would not allow me to change any network setting from the GUI.  I needed to change to a static IP address from DHCP to do some maintenance.  I also needed to add a secondary IP address.  How did I do this?  The step are below and may come in handy to someone else.

Set IP Address to Static from Powershell

  1. Disable DHCP
    Open PowerShell

    (note) review the output from the above command to get the Interface Name
    Get-NetAdapter –Name Ethernet
    Set-NetIPInterface -DHCP Disable

  2. Set IP Address

    New-NetIPAddress -AddressFamily IPv4 –InterfaceAlias “Ethernet” -IPAddress -PrefixLength 24 -Type Unicast -DefaultGateway

    (note) -IPAddress change to the IP Address you want to assign

    (note) –PrefixLength is the Mask -24 is

    (note) –DefaultGateway change to the gateway for your network
    Set Static DNS Servers

    Primary:               netsh interface ip add dns name="Ethernet" addr= index=1
    Secondary:         netsh interface ip add dns name="Ethernet" addr= index=2
    Tertiary:               netsh interface ip add dns name="Ethernet" addr= index=3

  3. Add Secondary IP Address (If you want to add another IP Address to your interface)
    netsh interface ipv4 add address name=Ethernet mask=

Set DHCP from Powershell

  1. Enable DHCP

    Get-NetAdapter -Name Ethernet
    Set-NetIPInterface -DHCP Enable
    netsh interface ip set dns name="Ethernet" dhcp