Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2020-10-18) Official Speaker At HIP – Session: "Account Hygiene: Fixing The Bad For The Good!"

Posted by Jorge on 2020-10-18


Hybrid Identity Protection Conference

In just 3 days (and 2 hours), I’ll be logging on to share insight on "Account Hygiene: Fixing the Bad for the Good!" at #HIP2020! You can still register now at: https://hip.brighttalk.live/webinar/account-hygiene-fixing-the-bad-for-the-good/

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Uncategorized | Leave a Comment »

(2020-10-17) Official Speaker At HIP – Session: "Account Hygiene: Fixing The Bad For The Good!"

Posted by Jorge on 2020-10-17


Hybrid Identity Protection Conference

You can catch me going LIVE at #HIP2020 on October 21st 17:00 (CEST) as I join in on the conversation about the hybrid identity world with my session, "Account Hygiene: Fixing the Bad for the Good!"! Register now: https://hip.brighttalk.live/webinar/account-hygiene-fixing-the-bad-for-the-good/

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Uncategorized | Leave a Comment »

(2020-10-16) Official Speaker At HIP – Session: "Account Hygiene: Fixing The Bad For The Good!"

Posted by Jorge on 2020-10-16


Hybrid Identity Protection Conference

Save the date: October 21st 17:00 (CEST) – #HIP2020 is going to be a conference you don’t want to miss! Sign up to attend my session at: https://hip.brighttalk.live/webinar/account-hygiene-fixing-the-bad-for-the-good/

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Uncategorized | Leave a Comment »

(2020-10-15) Official Speaker At HIP – Session: "Account Hygiene: Fixing The Bad For The Good!"

Posted by Jorge on 2020-10-15


Hybrid Identity Protection Conference

I’m an official speaker for #HIP2020! Join me LIVE on October 21st 17:00 (CEST) as I cover "Account Hygiene: Fixing the Bad for the Good!". Sign up at, https://hip.brighttalk.live/webinar/account-hygiene-fixing-the-bad-for-the-good/.

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Conferences | Leave a Comment »

(2020-10-14) 6 Steps To Mitigate The ZeroLogon Vulnerability

Posted by Jorge on 2020-10-14


About a month or so I blogged about the ZeroLogon vulnerability. Check it out HERE

Now why is this all important? I think I can say this is one of meanest vulnerabilities that I have seen for which you can loose control of your AD. Mitigation is quite easy through a number of steps, being:

  1. Install at least the august patch on at least ALL your DCs if you have not done that already. You did not do this yet? Seriously? Living under a stone? Remember: ANYONE on your network that can communicate with your DC has the ability to own and control your AD domain/forest!
  2. Monitor the System Event Log of ALL your DCs for event ID 5829, which is whenever a vulnerable Netlogon secure channel connection is used and allowed. TIP: to ease this, use Azure Log Analytics which helps you get all the information in one place! Then in Azure Log Analytics, you can use the KQL query displayed below, which will give you all the servers and the number of times it established a vulnerable Netlogon secure channel connection
  3. If ANY SYSTEM still uses vulnerable netlogon connections, EITHER…
    1. Patch/fix software/firmware if available (preferred!)
    2. If a fix is not available immediately because the vendor is working on it, create a security group in AD, then use that security group and make all the systems, for which a fix is not yet available, a member of the security group. Then in the policy “Computer Configuration > Windows Settings > Security Settings > Security Options > Domain controller: Allow vulnerable Netlogon secure channel connections” specify that security group as the exception list
  4. When ALL SYSTEMS previously using vulnerable netlogon connections, are either fixed/updated or configured as exception, enable enforcement mode as explained here
  5. Monitor the System Event Log of ALL your DCs for event ID 5827, 5828, 5830, 5831 and take action as needed. Again, Azure Log Analytics which helps you get all the information in one place! You can use the KQL query displayed below
    1. Event ID 5827: logged when a vulnerable Netlogon secure channel connection from a machine account is denied
    2. Event ID 5828: logged when a vulnerable Netlogon secure channel connection from a trust account is denied
    3. Event ID 5830: logged when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception
    4. Event ID 5831: logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception
  6. For all those systems in the exception group, chase the owners/vendors to fix/update the software before date XYZ (t.b.d. by yourself!) and tell them after that date you will remove the accounts as members and they will have issues

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed (Event ID 5829)

Event
| where EventID == 5829
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is denied (Event ID 5827)

Event
| where EventID == 5827
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a trust account is denied (Event ID 5828)

Event
| where EventID == 5828
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception (Event ID 5830)

Event
| where EventID == 5830
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception (Event ID 5831)

Event
| where EventID == 5831
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

Now. what’s the benefit of using this approach? There are more benefits!

  1. Any update that is installed, which is released after February 9th 2021, will enable enforcement mode automatically. Any system NOT in the exception list will have issues!
  2. The list of systems using vulnerable Netlogon secure channel connections, will not grow. The longer you wait the bigger the list might get. As YOU control the security group you can tell any owner requiring netlogon connections, to FIRST fix/update their software, which will allow the netlogon connection. Membership of the security group should decrease, NOT increase!

More details: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Security, Vulnerability | Leave a Comment »

(2020-10-14) Upcoming Hybrid Identity Protection (HIP) Conference

Posted by Jorge on 2020-10-14


Hybrid Identity Protection Conference

I’m an official speaker for #HIP2020! – Check out more about this free virtual conference at https://hip.brighttalk.live/summit/4810-hybrid-identity-protection-virtual-conference/

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Conferences | Leave a Comment »

(2020-09-15) ZeroLogon Attack/Vulnerability Information

Posted by Jorge on 2020-09-15


This is about a serious attack on AD, which is currently possible when not patched and configured correctly. A lot of information, and tooling, is on the internet available since a month or so about the ZeroLogin vulnerability and attack.

THIS A SERIOUS ONE! ACT NOW IF YOU HAVE NOT ALREADY!

Please use for your own environment or for any customer you work for or know about. This requires immediate attention for ANY AD domain/forest that you manage, as just patching is not enough.

In addition to patching, forcing secure RPC is ALSO required to prevent unsecure anonymous requests in any way. Not forcing secure RPC means that anyone on the network can easily take over the AD domain and become an full blown admin.

It is possible to check through event IDs who is currently using unsecure RPC. Those systems need to be patched ASAP.

For more detailed info, please see below.

ZeroLogon Attack/Vulnerability Information

Required Actions

  • Read and understand the information above
  • Test and evaluate
  • Install patches
  • Force the use of Secure RPC NOW, do not wait until Feb 21st where it will be enabled by default!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Updates, Vulnerability, Windows Server | Leave a Comment »

(2020-07-01) Re-Awarded for the 15th Time – MVP Enterprise Mobility (Identity And Access)

Posted by Jorge on 2020-07-01


Here we go again! Smile15 years of community service!

Today on July 1st I received an e-mail from Microsoft I was re-awarded again with the MVP Award for Enterprise Mobility in the Identity And Access Area. This year is the fifteenth time I have received this award! Smile

Let’s go for yet another year! Whooohoooo! Smile

image

Roughly translated Microsoft is writing:

Dear Jorge de Almeida Pinto,
Once again we are pleased to present the 2020-2021 Microsoft Most Valuable Professional (MVP) Award in recognition of your extraordinary leadership in technical communities. We appreciate your outstanding contributions in the following technical communities in the past year: Enterprise Mobility

15x  image_thumb2_thumb_thumb_thumb_thumb[1]Jorge de Almeida Pinto photo

!!! Dear MVP Award Program, THANKS !!!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Microsoft, MVP | Leave a Comment »

(2020-05-08) Upgrading Azure AD Connect – Some Tips

Posted by Jorge on 2020-05-08


These are some tips I would like to share with you when upgrading Azure AD Connect

[1] Before the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

[2] During upgrade, I  ALWAYS UNcheck the following. Why? I like to have the opportunity to check things before any sync cycle starts

image

Figure 1: “Ready To Configure” In The Azure AD Connect Upgrade Wizard

[3] After the upgrade I always check the global configuration options to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare

Azure AD Connect Wizard –> Configure –> View current configuration

image

Figure 2: Global Configuration Of Azure AD Connect

[4A] After the upgrade I always check the selected forests/domains/OUs to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured

Azure AD Connect Wizard –> Configure –> Customize Synchronization Options

In this screen I really want to make sure everything is as it should be! For every connected directory I always expand every AD domain to be sure only required OUs are selected and nothing else. This only applies if you have selected AD domains and OUs that need to be synched. The check is very simple. For every AD domain, expand and then collapse again. Look at the difference in figure 3 and 4

image

Figure 2: Domain And OU Filtering – BEFORE Expanding

image

Figure 3: Domain And OU Filtering – AFTER Expanding And Collapsing

[4B] After the upgrade I always check the Optional Features, Azure AD Apps, Azure AD Attributes and Directory Extensions to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured. I always close/cancel the wizard by clicking on the cross in the upper right corner

[5] After the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

[6] After the upgrade I always compare the global configuration exported before the upgrade and the global configuration after the upgrade. This is done through a PowerShell script I wrote

[7] After the upgrade I always compare the sync rules exported before the upgrade and the sync rules after the upgrade. This is done through a PowerShell script I wrote

[8] After the upgrade I always check the “Application Event Log” for any “weirdness” whatever that may be

[9] After the upgrade I always check the most recent log files in the folder “C:\ProgramData\AADConnect” to see what happened during the AAD Connect upgrade and to see if there is any weirdness

[10] And when everything is OK, I reenable the sync schedule and manually start of a sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | 2 Comments »

 
%d bloggers like this: