Get yourself a cheap cloud host running Windows Server.
Add ssl based SSTP vpn
Add ssl based Remote Desktop Gateway.
Put let’s encrypt on all of it.

For quick access to blocked url’s, put a glype php proxy somewhere (maybe on that same iis)


My current setup, a host in azure running vpn and rdp-gateway, mostely connecting to rdpgateway on home server connecting to vm-guest… You know… RDP-ception!

Now you can go everywhere!


There are really some huge flaws in this system…

To bad actually, because it’s a nice thing!

Let’s show you my setup:

exe rules script rules

So everyone can run executables and scripts signed by my selfsigned codesigning certificate and the juniper ones.
Everyone can execute from %programfiles% and %windows (default rule) and Everyone from a safe directory called “epic tools” on my skydrive.
And 2 file-path exceptions for keepass and onecal…

Almost the same for powershell, with specific hash-rule for my powershellprofile (which can go now because it’s signed by the selfsigned cert)

Anyway, %desktop% is blocked for all normal users.

Bypass Applocker’s PowerShell policy

Let’s try to run a ps1 file located on the desktop.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\mendel\Desktop\applockertest\helloworld.ps1'"

I noticed this one when running a powershell script and invoking it from rightmouseclick (run with powershell) and used procmon to find the exact launch command…

(The rightmouseclick “run with powershell” is only available in the context menu if you have the “.ps1” extension associated with notepad… WTF)

And of course there are more: , .
This one is also nice!

Bypass Applocker’s exe policy

Multiple bugs/exploits for this are known. As for example the ones from Casey Smith

CaptureI just used Case’s code to PoC this 🙂

Basically, just block everything!

Device Guard

A new feature in Windows 10 might be a solution for all of this 🙂

We’ll see, we’ll see…

Ok, let’s get it over with. Once and for all a decent how-to to setup Authentication Mechanism Assurance (AMA) in Active Directory Domain Services…

The last time I talked about this, is when I just found out of it existence at techet, in a talk by Hasain Alshakarti and Marcus Murray .

It basically shows a difference in group memberships between logging in using a regular username/password , and logging in using smarcards. If you login with a password you’ll become a normal user, when you logon with a smartcard you’re an admin! 🙂

The Microsoft step-by-step guide however is a bit long, and a bit clumsy… So here a quick rewrite 🙂

➡ Required components: a Windows Server, a PKI (or the default one in ADDS whatever), and some time.

CA Templates

First, we’ll have to create a new certificate template.
Open the certificate template management console, and go to the templates.

Lets start by duplicating the “smartcard logon” one. Choose 2008R2 for everything.

This default template should be good, 1 little thing needs to change.

Open the template, go to the extensions tab. And you see the issuance policies. Here you’ll need to add a new one.

Give it some useful name, for example “server admin” or whatever.

This extra extension will now go into the actual enrolled certificate…


Next we’ll need to teach the ADDS how to map that extension to an actual Security Group. This can be done using the weird PowerShell script provided by Microsoft, but let’s do it manually here (it goes way faster!)

The link between the OID we just created and a security group is a policy defined in the regular SYSTEM partition of ADDS. Open it either using ADSIEDIT or the Sites and Services mmc.

Ofcourse we’re working with the Public Key Services, OID config, and there are all the policies stored. We’re looking for the OID of the policy we created earlier (add the “displayname” to the mmc-colums to make your life easier).

If you’ve found the correct object, rightmouseclick it, open attributes, and search for the “msDS-OIDToGroupLink” attribute.

⭐ This is the magic attribute ⭐

Fill in the DN of the security group.
And you’re good to go!


Next steps are of course the enrollment and issuance of the CA template to the correct users. But I hope you know how that works 😉
From here on you can either put it in a Virtual Smart Card, and start using it!


My Vaio died…
For all the ones that will be pointing “hahahahaha, told you so”: whatever =)
In the end, it was the Samsung SSD inside that died…

Anyway, needed to reinstall my laptop. Quick list of essential tools!

And since the sudden disappearance of wallbase -> for a new wallpaper! 🙂

desktopAnd for the first time I didn’t make my account localadmin 🙂 Let’s see how that turns out 🙂

So, a quick little overview of my home audio setup 🙂

All UPnP/DLNA based…

Suggestions to improve, questions and comments are always welcome! 😎

Currently still not looking at Spotify actually… Most of the music I play are either podcasts or online sources (stubru 🙂 ) is pretty awesome for a headless torrent client! It even has a native PowerShell module! But it doesn’t implement everything you want. (runs only in x86 shell, no magnets support, …)

Here a quick (and very dirty) PoSh snippet to add magnets to the download engine using its REST API… (don’t judge me on code quality!)

Accesstoken is the “api key” from the upper right corner, id is whatever you want it to be, and the convertto-json can probably be used as well.. But it was late, and this works :-).

while($magnet = read-host "gimme magnets")
$body = @"
Invoke-RestMethod -Method Post -Uri $url -Header @{ "Authorization" = "Token $accesstoken" } -Body $body -ContentType "application/json"
$body = @"
$res=Invoke-RestMethod -Method Post -Uri $url -Header @{ "Authorization" = "Token $accesstoken" } -Body $body -ContentType "application/json"
$res.result |ft

Nietje is awesome!

Nietje is a Neato Botvac 75 and it vacuums our apartment 🙂

I love Nietje ❤InstagramCapture_4cf77e6f-1aa0-4f85-a153-40220672a072

It’s eyes exists of a very cool technology actually! It’s called a “lidar”, and combines the reflection of a laser, a photosensitive sensor and time of flight to calculate distance to objects!

If you want you can read about it on following websites:

I recently found a usb port inside the machine! It’s hidden next to the on/off button, behind the dust bin, behind a rubber plug! And there it is: a microusb-port! Nice 🙂

Plugged it in, but Windows couldn’t find a driver (vid_2108&pid_780c).
To get passed that, you’re going to need the official driver included in the update package.

And thanks to a guy called heX, we can control the robot 🙂 jeeeehaaaa




Windows Phone “doesn’t support SSTP” as a VPN type, but using Microsoft’s own FieldMedic app, the following is revealed:

Description             : WAN Miniport (SSTP) #13
Interface Index         : 14
Type                    : 131
Media Type              : 12
Physical Medium         : 0
Operational Status      : Not Present
Interface Flags         : 0x1 = hardware
Speed                   : 0 b/s
Physical Address        : 10-2F-6B-xx-xx-xx
MTU                     : 0
Bytes Received          : 0
Bytes Sent              : 0
Rcv Packet Errors       : 0
Rcv Packets Discarded   : 0
Out Packet Errors       : 0
Out Packets Discarded   : 0

COMMON Microsoft!

Eigenlijk een schandalig verhaal over concurrentievervalsing…

spot de beste tv!

spot de beste tv!

Neem nu de foto hier rechts. Een stukje van een demo-muur voor televisies.

Kies hier nu eens de de tv uit met mooiste beeld?

Waarschijnlijk zou je hier “rechtsboven” kiezen.
Goed gesatureerde kleuren, niet overbelicht gelijk de anderen, scherp, … Alles wat je moet hebben eigenlijk?

Wel, een verkoper heeft 30 min bezig geweest met ons dat model (LG) proberen te verkopen.
Het was ook gewoon het beste beeld dat er tussen stond.
“Kan niet beter, meest verkocht, super bouwkwaliteit, …”
Het typische verkooppraatje, je kent het wel…
Nu, het toeval wil dat we het grote broertje van die LG op kantoor hebben hangen.
En het beeld is misschien wel goed, ik vind die interface op niks trekken, die menustructuur, …

Ik wou een andere…
Een Sony 😎
De online reviews waren overal lovend.
Zwartwaarden, kleur, inputlag, software, interface, …
En als ik iets in men kop heb, mjah… 😀

Maar het verschil in beeldkwaliteit tussen die sony en die lg was echt vreselijk groot.
Die Sony was flauw, vaag, onscherp, overbelicht, … Gewoon slecht…

Dusjah, een vreemde situatie: Internet zegt dat die goed is, realiteit is totaal anders?

Anyway, we gaan naar een andere filliaal van dezelfde keten, zelfde scenario.
En we gaan zelfs naar nog een ander filliaal, nog eens hetzelfde scenario!

Intussen had ik nog eens het internet gecheckt, en nog steeds kwamen enkel positieve kwaliteiten van die tv’s naar boven.

Bij de laatste winkel stond ik gewoon nog steeds te twijfelen welke ik nu zou pakken (en ik was effectief naar LG aan het neigen).
Gelukkig kan mijn liefste vriendinnetje nog een beetje out-of-the-box denken.
In het gebouw waar we in stonden bevat naast keten-X ook Krefel! Lucky us!

We snelden daar even binnen, gingen naar een heel gelijkaardige muur vol met TV-toestellen, en tot onze grote verbazing was dit een totaaaal ander beeld op diezelfde Sony. 😯

Dezelfde Panasonic, dezelfde LG, dezelfde Samsung en dezelfde Sony toestellen als bij X, maar gewoon naast elkaar. Zonder rare zaken, allemaal even scherp, allemaal mooie kleuren, allemaal zoals ze horen…
Dank aan Krefel om tenminste fair te spelen!

Doet X nu zo extreem aan vervalsing? Hun klanten zo “in’t zak proberen te zetten”?
Niet dat LG een slecht merk is, zeker niet, maar waarom profileren ze het als enige “goed” tv merk? Commissie? Omkoperij?…
Of zouden ze toch op andere vlak gelijk hebben, en hebben zoveel mensen toch problemen met Sony?
Slechts enkele personen weten het echte antwoord…

Dus heb ik toch maar Sony gekocht 🙂
Bij Krefel