How to reset Local Security Policy in Windows Server

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

This will reset all the custom security settings that you have set in the Windows Server.


Windows Logon Process for Password Changes

When the Kerberos ticket expires on the computer, if this computer connects back to the network, lsass.exe will try to contact the DC to refresh the Kerberos token with the cached password.

When the password is changed, the KDC service on the DC will test the last 2 old passwords. If it finds the client machine is using the last 2 old password, even though the Kerberos authentication fails, it won’t increase the “badpwdcount” attribute for the user account. This is to make sure that the user account won’t be locked out.

As DC doesn’t store clear text password but only the password hash which is encrypted by default algorithms, AD database has password hash for each algorithm to make sure all the supported encryption type will work.

Based on the above, when the user changes the password, it is recommended to logoff on the client machines before connecting back to the network.  Because, if the user changes the password more than twice then connects the offline computer back online, the account will be locked out.

Password history check (N-2): Before a Windows Server 2003 & above operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error.


PowerShell Performance Tips

Processing Large Files

The idiomatic way to process a file in PowerShell might look something like:

Get-Content $path | Where-Object { $_.Length -gt 10 }

This can be nearly an order of magnitude slower than using .NET APIs directly:

   $stream = [System.IO.StreamReader]::new($path)
   while ($line = $stream.ReadLine())
      if ($line.Length -gt 10)

Avoid Write-Host

It is generally considered poor practice to write output directly to the console, but when it makes sense, many scripts use Write-Host.

If you must write many messages to the console, Write-Host can be an order of magnitude slower than [Console]::WriteLine().

Scripting · Windows

Testing Your Server for SSL Encryption Strength

There are times whereby you need to test a port such as 443 or 3389 to see if the certificate is using SHA-1 or SHA-256.

There are many tools out there that can do this. One way to do it is to use OpenSSL.


  1. Download OpenSSL for Windows from here
  2. Launch command prompt and punch in the following:
C:\openssl\bin\echo " " | openssl.exe s_client -connect localhost:3389 -servername >nul | openssl.exe x509 -noout -text | findstr /C:"Signature Algorithm"

The output will be as follows:

Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption


TestSSLServer is a command-line tool which contacts a SSL/TLS server and obtains some information on its configuration. It aims at providing (part of) the functionality of Internet-based tools like Qualys SSL Server Test, but without the requirement of the server being Internet-reachable. You can use TestSSLServer on your internal network, to test your servers while they are not (yet) accessible from the outside.


After downloading, open command prompt & run build.cmd to compile the .exe

To test the RDP (3389) port, launch the command below:

TestSSLServer2.exe -v localhost 3389


[trying version=SSLv2]
[trying version=TLSv1.2, extensions=True, maxLen=8192 (3999 suites per hello)]
[hello received]
[suites: version=SSLv3 (4020 suites per hello)]
[suites: version=TLSv1.0 (4020 suites per hello)]
.[suites: version=TLSv1.1 (4020 suites per hello)]
.[suites: version=TLSv1.2 (3999 suites per hello)]
.[spontaneous EC support, version=TLSv1.2, 6 suite(s)]
[elliptic curve enumeration, version=TLSv1.2, 6 suite(s)]
Connection: localhost:3389
SNI: localhost
     server selection: enforce server preferences
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA
     3f- (key:  RSA)  DHE_RSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  DHE_RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_256_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_3DES_EDE_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_RC4_128_SHA
     3-- (key:  RSA)  RSA_WITH_RC4_128_MD5
  TLSv1.1: idem
     server selection: enforce server preferences
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_GCM_SHA384
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_GCM_SHA256
     3f- (key:  RSA)  DHE_RSA_WITH_AES_256_GCM_SHA384
     3f- (key:  RSA)  DHE_RSA_WITH_AES_128_GCM_SHA256
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA384
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA256
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA
     3f- (key:  RSA)  DHE_RSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  DHE_RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_256_GCM_SHA384
     3-- (key:  RSA)  RSA_WITH_AES_128_GCM_SHA256
     3-- (key:  RSA)  RSA_WITH_AES_256_CBC_SHA256
     3-- (key:  RSA)  RSA_WITH_AES_128_CBC_SHA256
     3-- (key:  RSA)  RSA_WITH_AES_256_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_3DES_EDE_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_RC4_128_SHA
     3-- (key:  RSA)  RSA_WITH_RC4_128_MD5
+++++ SSLv3/TLS: 1 certificate chain(s)
+++ chain: length=1
names match:        yes
includes root:      yes
signature hash(es):
+ certificate order: 0
thumprint:  581E09B2D1EE08480DDC0B557F5F18B06D2E4CCE
serial:     30BE8815A18B57BF41BA33D2B76E9530
subject:    CN=NX01
issuer:     CN=NX01
valid from: 2017-05-02 12:27:44 UTC
valid to:   2017-11-01 12:27:44 UTC
key type:   RSA
key size:   2048
sign hash:  SHA-256
server names:
Server compression support: no
Server time: 2017-05-30 02:26:43 UTC (offset: -761 ms)
Secure renegotiation support: yes
Encrypt-then-MAC support (RFC 7366): no
SSLv2 ClientHello format (for SSLv3+): yes
Minimum DH size: 2048
DH parameter reuse: yes
Minimum EC size (no extension):   252
Minimum EC size (with extension): 252
ECDH parameter reuse: yes
Supported curves (size and name) ('*' = selected by server):
    256  secp256r1 (P-256)
    384  secp384r1 (P-384)
  * 252  ecdh_x25519
WARN[CS005]: Server supports RC4.
WARN[CS006]: Server supports cipher suites with no forward secrecy.

As per output, 3DES & RC4 are still enabled in Windows Server 2016.

nmap Tool

Another tool which you can use is nmap.


Open command prompt & run the following to scan for weak ciphers.

nmap -Pn --script ssl-enum-ciphers -p 3389 localhost


Starting Nmap 7.40 ( ) at 2017-05-29 20:36 Malay Peninsula Standard Time
Nmap scan report for localhost (
Host is up (0.00s latency).
Other addresses for localhost (not scanned): ::1
3389/tcp open ms-wbt-server
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity

You can see that 3DES & RC4 is still enabled in Windows Server 2016.


Leadership Tips From Famous People

I was watching Channel News Asia and it was showing a repeat telecast of Conversation With series. It featured an interview with Uniqlo CEO Tadashi Yanai and it was very interesting.

Uniqlo CEO: Tadashi Yanai


Uniqlo founder Tadashi Yanai is fascinated by failure. And he’d rather be a tough boss, than a nice one. Here are 5 things to know about Japan’s richest man.

1: Japanese Quality at Chinese Prices

PL: Product Leader

OE: Operating Excellence

This is similar to IKEA.

2: 9 Failures to Get 1 Success

You have to face 9 failures in order to get 1 success. Don’t be afraid of failures. Learn from it.

3: Be a Tough Boss

Be a tough boss so that your subordinates can grow and improve. With pressure, they can then achieve greatness.

4: Change

Uniqlo has a picture frame “Change or Die”. To change is to change your usual state.

IBM used to make meat cutters and punch cards. GE used to be manufacturing light bulbs. Tony Rayon now makes parts for Boeing, gold club shafts and Uniqlo.

So, you have to change. There is simply no other way to survive.

5: Find Successors

Be willing to find successors and train them up to take over.