Sunday, December 31, 2023

Windows Firewall rules for Fortinet SSO Collector

The Fortinet SSO Collector service will collect login information from all domain controllers, and forward user / machine / IP information to the FortiGate.

I recently installed new Windows 2022 Domain Controllers in core mode (No GUI).  For the SSO collector and agent communication firewall ports needed to be installed to allow the incoming communications.


Wednesday, September 15, 2021

Grab a NIC IP information and dynamically create a reset script

 I had a request to figure out how to record a NIC's IP information and make it easy to put the config back if required.  the result us a run-able $outfile PowerShell script to reset the settings.

Friday, April 16, 2021

Native Windows 10 packet Sniffer PKTMON

I had to troubleshoot connectivity issues from a Window 10 machine, and really did not want to install Wireshark.  Then I remember reading this document for the built in sniffer: pktmon | Microsoft Docs

 Basically here are the steps:

  • Change directory to where you want the results to be saved (I.E. c:\temp)
  • Add Filters for the IP you want to monitor for
    • pktmon filter add -i
    • pktmon filter add -i

  • Start pktmon
    • pktmon start –etw  (this will send to PktMon.etl file only)
    • pktmon start --etw -l real-time (Will send to PktMon.etl file and the screen)
  • Generate the traffic

  • Stop pktmon
    • pktmon stop

The native file PktMon.etl can only be read by Microsoft’s NetMon.  If you have WireShark installed you can run this command to convert it:

  • pktmon pcapng pktmon.etl -o log.pcapng


Also for reference, the on screen verbose (-l real-time) of opening nslookup and connecting to would look like this:




There are other options in the linked doc but to get a quick view of traffic, not bad….  Enjoy!

Friday, April 09, 2021

Wednesday, August 26, 2020

Rename Files to a random name

 I had a bunch of photos that I wanted to randomize on a photo frame.  The frame processes photos alphabetically by file name. Since the original filename had the date / time the picture was taken, meant there was no randomness to what was displayed.

I wrote this to change the filenames to a random number.

Thursday, June 18, 2020

Remove WSUS GPO settings

Most companies deploy Windows Software Update Services (WSUS) via a group policy to keep all corporate systems updated.  However sometimes nerd in me wants the latest and greatest, before corporate approves them.  So run these commands in a Administrative Powershell Session.  This will remove the WSUS settings until the next GPO sync.

Tuesday, June 16, 2020

PCI Antivirus logs

QSA requested proof of Antivirus logging and the retention. Using the LET command I am grabbing the newest and oldest log entries as evidence.

Monday, June 15, 2020

PCI Requirement 2 - Proof MFA in use

I am going through a PCI audit and was requested that I prove that MFA was in use.  I used this Azure KQL against my log analytics workspace to show all sign ins and if MFA was checked.

Monday, April 20, 2020