Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Active Directory Domain Services (ADDS)’ Category

(2021-07-21) Microsoft Releases “Azure Active Directory Security Operations Guide”

Posted by Jorge on 2021-07-21


Microsoft has released a security operations guide focusing on:

  • User Accounts
  • Privileged Accounts
  • Privileged Identity Management
  • Applications
  • Devices
  • Infrastructure

Lots of info and guidance. Now go get it, read it and implement any benefits for you.

See: Azure Active Directory security operations guide

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Windows Azure Active Directory | Leave a Comment »

(2020-10-14) 6 Steps To Mitigate The ZeroLogon Vulnerability

Posted by Jorge on 2020-10-14


About a month or so I blogged about the ZeroLogon vulnerability. Check it out HERE

Now why is this all important? I think I can say this is one of meanest vulnerabilities that I have seen for which you can loose control of your AD. Mitigation is quite easy through a number of steps, being:

  1. Install at least the august patch on at least ALL your DCs if you have not done that already. You did not do this yet? Seriously? Living under a stone? Remember: ANYONE on your network that can communicate with your DC has the ability to own and control your AD domain/forest!
  2. Monitor the System Event Log of ALL your DCs for event ID 5829, which is whenever a vulnerable Netlogon secure channel connection is used and allowed. TIP: to ease this, use Azure Log Analytics which helps you get all the information in one place! Then in Azure Log Analytics, you can use the KQL query displayed below, which will give you all the servers and the number of times it established a vulnerable Netlogon secure channel connection
  3. If ANY SYSTEM still uses vulnerable netlogon connections, EITHER…
    1. Patch/fix software/firmware if available (preferred!)
    2. If a fix is not available immediately because the vendor is working on it, create a security group in AD, then use that security group and make all the systems, for which a fix is not yet available, a member of the security group. Then in the policy “Computer Configuration > Windows Settings > Security Settings > Security Options > Domain controller: Allow vulnerable Netlogon secure channel connections” specify that security group as the exception list
  4. When ALL SYSTEMS previously using vulnerable netlogon connections, are either fixed/updated or configured as exception, enable enforcement mode as explained here
  5. Monitor the System Event Log of ALL your DCs for event ID 5827, 5828, 5830, 5831 and take action as needed. Again, Azure Log Analytics which helps you get all the information in one place! You can use the KQL query displayed below
    1. Event ID 5827: logged when a vulnerable Netlogon secure channel connection from a machine account is denied
    2. Event ID 5828: logged when a vulnerable Netlogon secure channel connection from a trust account is denied
    3. Event ID 5830: logged when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception
    4. Event ID 5831: logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception
  6. For all those systems in the exception group, chase the owners/vendors to fix/update the software before date XYZ (t.b.d. by yourself!) and tell them after that date you will remove the accounts as members and they will have issues

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed (Event ID 5829)

Event
| where EventID == 5829
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is denied (Event ID 5827)

Event
| where EventID == 5827
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a trust account is denied (Event ID 5828)

Event
| where EventID == 5828
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception (Event ID 5830)

Event
| where EventID == 5830
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception (Event ID 5831)

Event
| where EventID == 5831
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

Now. what’s the benefit of using this approach? There are more benefits!

  1. Any update that is installed, which is released after February 9th 2021, will enable enforcement mode automatically. Any system NOT in the exception list will have issues!
  2. The list of systems using vulnerable Netlogon secure channel connections, will not grow. The longer you wait the bigger the list might get. As YOU control the security group you can tell any owner requiring netlogon connections, to FIRST fix/update their software, which will allow the netlogon connection. Membership of the security group should decrease, NOT increase!

More details: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Security, Vulnerability | Leave a Comment »

(2020-09-15) ZeroLogon Attack/Vulnerability Information

Posted by Jorge on 2020-09-15


This is about a serious attack on AD, which is currently possible when not patched and configured correctly. A lot of information, and tooling, is on the internet available since a month or so about the ZeroLogin vulnerability and attack.

THIS A SERIOUS ONE! ACT NOW IF YOU HAVE NOT ALREADY!

Please use for your own environment or for any customer you work for or know about. This requires immediate attention for ANY AD domain/forest that you manage, as just patching is not enough.

In addition to patching, forcing secure RPC is ALSO required to prevent unsecure anonymous requests in any way. Not forcing secure RPC means that anyone on the network can easily take over the AD domain and become an full blown admin.

It is possible to check through event IDs who is currently using unsecure RPC. Those systems need to be patched ASAP.

For more detailed info, please see below.

ZeroLogon Attack/Vulnerability Information

Required Actions

  • Read and understand the information above
  • Test and evaluate
  • Install patches
  • Force the use of Secure RPC NOW, do not wait until Feb 21st where it will be enabled by default!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Updates, Vulnerability, Windows Server | 1 Comment »

(2020-02-14) Creating An HTML Report Of All Password And Account Lockout Policies In The AD Forest

Posted by Jorge on 2020-02-14


It was one of those days. Auditors came in to audit stuff. One of the questions was to produce evidence about the password and account lockout policy in the default domain policy. Those guys are probably still living in the Windows Server 2003 ages as with Windows Server 2008 and later so called Password Settings Objects (PSO) are supported where you can have as many password and account lockout policies as you see fit for your environment. For example, a PSO for regular users, one for regular service accounts and one or more your admin accounts.

Read more about it:

On of the environments I work with has multiple AD domains and each AD domain has multiple PSOs. Creating a report with all the settings is quite painful, unless you use PowerShell! Then it is as easy as taking candy from your kids! Smile

So how do you make this repeatable and at the same time keep the auditing guys happy with a nice overview? By using a report similar to:

image

Figure 1: An HTML Report Of All Password And Account Lockout Polices

The script that produces that? get it from here: https://gallery.technet.microsoft.com/Building-A-Password-And-d18f991f

Example report: Password And Account Lockout Policy HTML Report (Example)

Have fun!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Fine Grained Password Policies, Passwords | Leave a Comment »

(2020-01-23) Smartcard/PIN Better Than Username/Password?

Posted by Jorge on 2020-01-23


Think username/password is a bad thing (both "something you know"). Using Smartcard/PIN ("something you know" & "something you have") instead for interactive logon? It is a bit better, but if hacker has compromised your computer and is using e.g. Mimikatz, you’re still screwed! So, the answer is: “no it is not better”

image

Figure 1: Mimikatz Output Displaying Clear Text PIN Of The Smart Card

Move away from it and go passwordless! Whatever you choose the secrets must be stored and accessed securely and there must be an “inaccessible” factor (e.g. biometric) or a dynamic factor (e.g. OTP, choosing value, etc.)

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AuthN | Leave a Comment »

 
%d bloggers like this: