Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Auditing’ Category

(2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

Posted by Jorge on 2014-09-15


PowerShell Code to check if the SACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithSACLInCanonicalOrder = @() $OUsWithSACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath -Audit If ($aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = $ou $OUsWithSACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = $ou $OUsWithSACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithSACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLNOTInCanonicalOrder += $ouObj } $OUsWithSACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithSACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLInCanonicalOrder += $ouObj } $OUsWithSACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"

SNAGHTML322d8c92

Figure 1: Checking The Canonical Order Of The SACL On All OUs In The AD Domain Through PowerShell

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Advertisements

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 4 Comments »

(2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object

Posted by Jorge on 2014-09-11


PowerShell Code to remove all auditing entries from one or multiple OUs for some security principal.

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entries..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.Audit | ?{$_.IdentityReference -eq $securityPrincipalAccount} | %{ $auditRule = $_ $aclOU.RemoveAuditRule($auditRule) } $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: SACL Before Removal

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

image

Figure 3: SACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 4 Comments »

(2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object

Posted by Jorge on 2014-09-09


PowerShell Code to remove an auditing entry from one or multiple OUs for some security principal when executing some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right) $mappingTable_displayName_rightsGUID = @{} Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) ` -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" ` -Properties displayName,rightsGuid | %{ $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedCAR = "Reset Password" $schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped CAR...........: $scopedCAR" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: SACL Before Removal

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

image

Figure 3: SACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 4 Comments »

(2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object

Posted by Jorge on 2014-09-07


PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Read Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedAttribute = "employeeID" $schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ReadProperty" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Attribute.....: $scopedAttribute" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: SACL Before Removal

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

image

Figure 3: SACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 4 Comments »

(2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object

Posted by Jorge on 2014-09-05


PowerShell Code to remove a specific auditing entry from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Create Child

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $inheritanceScope = "All" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"CreateChild" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedObject,$inheritanceScope $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.RemoveAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: SACL Before Removal

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

image

Figure 2: Configuring The SACL Through PowerShell

image

Figure 3: SACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 4 Comments »

(2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object

Posted by Jorge on 2014-09-03


PowerShell Code to add an auditing entry to one or multiple OUs for some security principal when executing some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right) $mappingTable_displayName_rightsGUID = @{} Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) ` -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" ` -Properties displayName,rightsGuid | %{ $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedCAR = "Reset Password" $schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " ADDING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped CAR...........: $scopedCAR" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.AddAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: Configuring The SACL Through PowerShell

image

Figure 2: The Auditing Entry That Was Added

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 3 Comments »

(2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object

Posted by Jorge on 2014-09-01


PowerShell Code to add an auditing entry to one or multiple OUs for some security principal when reading/writing some attribute on some object.

Example object class: user

Example permission: Read Property and Write Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedAttribute = "employeeID" $schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute] $inheritanceScope = "Descendents" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ReadProperty","WriteProperty" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " ADDING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Attribute.....: $scopedAttribute" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.AddAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: Configuring The SACL Through PowerShell

image

Figure 2: The Auditing Entry That Was Added

image

Figure 3: Detailed Info Of The Auditing Entry

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 4 Comments »

(2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object

Posted by Jorge on 2014-08-30


PowerShell Code to add an auditing entry to one or multiple OUs for some security principal when creating/deleting some object.

Example object class: user

Example permission: Create Child and Delete Child

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Configure Auditing For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $inheritanceScope = "All" # Security Principal To Audit For Actions $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define Auditing Entry $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"CreateChild","DeleteChild" $auditType = [System.Security.AccessControl.AuditFlags]::"Success","Failure" $auditDefinition = $securityPrincipalObject,$rightsCollection,$auditType,$schemaIDGUIDScopedObject,$inheritanceScope $auditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($auditDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " ADDING Audit Entry..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " Audit Type...........: $auditType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath -Audit $aclOU.AddAuditRule($auditRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: Configuring The SACL Through PowerShell

image

Figure 2: The Auditing Entry That Was Added

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | 3 Comments »

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v1.0 and ADFS v1.1

Posted by Jorge on 2013-07-08


As an Identity Provider (IdP) and/or as a Service Provider (SP) you might need to be able to audit the issued claims in security tokens. This might be especially true if you are the SP that both owns the application and the data within the application and you have federation trusts setup with business partners.

If you are still using ADFS v1.x and you need to enable the auditing of issued claims you can do that by performing the following steps:

  • In the ADFS Trust Policy enable the following event levels: Success Audit, Failure Audit, Detailed Success, Detailed Failure
  • The account that is used in the ADFS application pool must have the “Generated Security Audits” user right on every ADFS v1.x STS server. This can be achieved through:
    • Configuring the user right mentioned within the local security policy of each ADFS v1.x STS server
      OR
    • Configuring the user right mentioned within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering
  • At a minimum you must enable successes and failures for the subcategory  “Application Generated” within the category “Object Access”. This can be achieved by:
    • Issuing the following command on each ADFS v1.x STS server: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE
      (This applies only to W2K8 and higher)
      OR
    • Configuring the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO: Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Object Access)
      (This applies only W2K3 and W2K8)
    • Configuring the subcategory “Application Generated” within the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO:  Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Application Generated)
      (This applies only W2K8 R2)

All the auditing events with regards to the claims issued can be found in the Security Event Log. If you expect a high churn of all kinds of auditing events in the security event log, you might need to centrally consolidate/store those events using a tool that is able to collect such information.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Auditing | 1 Comment »

(2010-07-30) Auditing In Windows Server 2008 R2

Posted by Jorge on 2010-07-30


Auditing In Windows Server 2008 also provided granular audit policies, but those were only configurable locally on each server through the utility called AUDITPOL. From within a GPO you could only configure the global auditing policies. Windows Server 2008 R2 now also allows you to configure the granular audit policies through a GPO.

The Granular Audit Policies can be found in a GPO at the following location:

–> Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

It contains the following node and sub nodes:

  • Audit Policies
    • Account Logon
      • Audit Credential Validation
      • Audit Kerberos Authentication Service
      • Audit Kerberos Service Ticket Operations
      • Audit Other Account Logon Events
    • Account Management
      • Audit Application Group Management
      • Audit Computer Management
      • Audit Distribution Group Management
      • Audit Other Account Management Events
      • Audit Security Group Management
      • Audit User Account Management
    • Detailed Tracking
      • Audit DPAPI Activity
      • Audit Process Creation
      • Audit Process Termination
      • Audit RPC Events
    • DS Access
      • Audit Detailed Directory Service Replication
      • Audit Directory Service Access
      • Audit Directory Service Changes
      • Audit Directory Service Replication
    • Logon/Logoff
      • Audit Account Lockout
      • Audit IPSec Extended Mode
      • Audit IPSec Main Mode
      • Audit IPSec Quick Mode
      • Audit Logoff
      • Audit Logon
      • Audit Network Policy Server
      • Audit Other Logon/Logoff Events
      • Audit Special Logon
    • Object Access
      • Audit Application Generated
      • Audit Certification Services
      • Audit Detailed File Share
      • Audit File Share
      • Audit File System
      • Audit Filtering Platform Connection
      • Audit Filtering Platform Packet Drop
      • Audit Handle Manipulation
      • Audit Kernel Object
      • Audit Other Object Access Events
      • Audit Registry
      • Audit SAM
    • Policy Change
      • Audit Audit Policy Change
      • Audit Authentication Policy Change
      • Audit Authorization Policy Change
      • Audit Filtering Platform Policy Change
      • Audit MPSSVC Rule-Level Policy Change
      • Audit Other Policy Change Events
    • Privilege Use
      • Audit Non-Sensitive Privilege Use
      • Audit Sensitive Privilege Use
      • Audit Other Privilege Use Events
    • System
      • Audit IPsec Driver
      • Audit Other System Events
      • Audit Security State Change
      • Audit Security System Extension
      • Audit System Integrity
    • Global Object Access Auditing
      • File System (Global Object Access Auditing)
      • Registry (Global Object Access Auditing)

More detailed information about each auditing topic (including events) can be found:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, Windows Server | 2 Comments »

 
%d bloggers like this: