To understand how to troubleshoot security related problems, you need to understand how the core concepts of Windows’ Security Subsystem work. In this course, Troubleshooting Security and Active Directory Issues with Sysinternals Tools, you’ll learn how the cornerstones of Windows Security are built and how to use Sysinternals to solve issues relating to security and Active Directory. First you’ll learn how Windows’ access control works. Next, you’ll explore how to identify the best tools for troubleshooting security issues. Finally, you’ll discover how Sysinternals tools can be used to troubleshoot Active Directory related issues. When you’re finished with this course, you’ll have the skills and knowledge needed to troubleshoot security and Active Directory related problems with Sysinternals tools.
Course Overview Hey everyone, my name is Sami Laiho, and welcome to my course, Troubleshooting Security and Active Directory Issues with Sysinternals Tools. I'm a senior technical fellow at my own company, Adminize. They say that nowadays there are only two kinds of companies, those that have been breached and those that don't know they have been breached. Cyber security has become a fundamental part of every IT pro's job in the past few years. There are luckily quite a lot of great tools out there that can help you with your security-related problems. In this course you will learn how to troubleshoot security and Active Directory-related problems with Sysinternals' tools and how to play CSI when you face a real breach, which you will at some point. Some of the major topics that we will cover include how the Windows security subsystem actually works, how Sysmon can help you track bad guys, and how to monitor Active Directory traffic. By the end of this course you'll know how to effectively troubleshoot security issues in Windows. Before beginning the course you should have viewed the first course on this learning path on the Sysinternals toolkit on Pluralsight. I hope you'll join me on this Troubleshooting Security and Active Directory Issues with Sysinternals Tools, at Pluralsight.
Analyzing and Managing Logons with Sysinternals Tools The next module is called Analyzing and Managing Logons with Sysinternals Tools. These tools provide you the information needed to figure out who has logged on to what computers or a single computer about who has logged on to that computer. The first tool is PsLoggedOn. It works perfectly locally and remotely, but if you're running it remotely you need to have enabled the Remote Registry Service. Now PsLoggedOn looks at the registry to figure out who's logged on currently. It shows you both the currently logged on console users and also people who are using your resources over the network. It's a fundamental tool if you want to know whether you can reboot a remote box or not. If there are users logged on to it or not. Autologon is a super-simple tool. I added it here because I use it a lot. It is just the way to change the default registry keys for logging on someone automatically to a computer. It can be used for kiosk machines and I use it a lot for troubleshooting slow logons where you have to take the human factor out of the equation. When you do slow logon analysis you are always used to the Autologon because sometimes a user types their password once wrong or sometimes they type it wrong six times, which means you need to take away the human factor. The last tool here is called LogonSessions. LogonSessions looks at local security authority for all sorts of logons, so this one will show you a lot more information than PsLoggedOn. It shows you the service logons, it shows you the computer account logons, and the user logons. It's a good way to also look at the NTLM versus Kerberos logons.
Diagnosing Authentication and Authorization Issues in Active Directory The last module is called Diagnosing Authentication and Authorization Issues in Active Directory. In Sysinternals there are a few fundamental tools that you need to know when you're trying to troubleshoot while in a client application, for example, does not work against your Active Directory doing certain LDAP calls. When you're troubleshooting anything related to Active Directory, whether it's Active Directory security or just general Active Directory, troubleshooting AdExplorer is just irreplaceable. It allows you to look at the current Active Directory, but what's the best thing about it is the thing that it can actually create a snapshot of your whole Active Directory. You can then change something, you can then use an app, you can do whatever you want, and then you can verify your current Active Directory against that snapshot. AdInsight is like ProcMon for Active Directory. It is a simple monitoring tool for all LDAP traffic that is traveling to Active Directory. It is the ideal troubleshooting tool for Active Directory client application problems. And then the last one on this list is AdRestore. You can delete things in Active Directory, those objects will end up having a tombstone and not really get deleted. Now restoring those, even if you would have the Recycle Bin enabled it's not that straightforward. With AdRestore you can just simply restore an object that has been marked for deletion.