Archive for the ‘IT Pro Tools’ Category

(2019-11-21) Active Directory Security Scan Of Accounts (Part 5)

Posted by Jorge on 2019-11-21

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Account And Password Hygiene” related information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
Enabled (e.g. TRUE or FALSE)
Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
Has Adm Count Stamp (e.g. TRUE or FALSE)
Delegatable Adm (e.g. TRUE or FALSE)
Does Not Req Pre-AuthN (e.g. TRUE or FALSE)
Has Sid History (e.g. TRUE or FALSE)
Has LM Hash (e.g. TRUE or FALSE)
Has Default Pwd (e.g. TRUE or FALSE)
Has Blank Pwd (e.g. TRUE or FALSE)
Uses DES Keys Only (e.g. TRUE or FALSE)
Has Missing AES Keys (e.g. TRUE or FALSE)
Pwd Rev Encrypt (e.g. TRUE or FALSE)
Pwd Not Req (e.g. TRUE or FALSE)
Pwd Never Expires (e.g. TRUE or FALSE)
Has Shared Pwd (e.g. TRUE – Domain Shrd Pwd Grp x Of y or FALSE)
Compromised Pwd (e.g. TRUE or FALSE)
Most Used Hash (e.g. <hash> (<count>) or N.A.)

–

When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!

While the script is running it logs every to a log file. which is in the same folder as the script itself.

–

This script requires:

PowerShell Module: ActiveDirectory
PowerShell Module: LithnetPasswordProtection
PowerShell Module: DSInternals
LithNet Active Directory Password Protection Store With Banned Words And/Or Compromised Passwords/Hashes
Enterprise Admin Permissions, or at least "Replicate Directory Changes" and "Replicate Directory Changes All" for EVERY NC in the AD forest!
REMARK: Script does check for Enterprise Admin role permissions!

–

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_05_Account-And-Password-Hygiene-Info.ps1

–

The script has been tested in three different AD forests:

AD forest with a Single AD domain with less than 500 accounts and quite some account config
AD forest with a Single AD domain with approx. 150000 accounts and less account config
AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

–

Figure 1a: Sample Output Of The Log File

–

Figure 1b: Sample Output Of The Log File

–

Figure 1c: Sample Output Of The Log File

–

Figure 1d: Sample Output Of The Log File

–

Figure 1e: Sample Output Of The Log File

–

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

Figure 2a: Sample Output Of The CSV File Displayed In PowerShell GridView

–

Figure 2b: Sample Output Of The CSV File Displayed In PowerShell GridView

–

To get the script, see: Scan And Check All Accounts In AD Forest – Account And Password Hygiene

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, IT Pro Tools, Passwords, PowerShell, Replication, Security, Security, Tooling/Scripting | 2 Comments »

(2019-11-18) Active Directory Security Scan Of Accounts (Part 4)

Posted by Jorge on 2019-11-18

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At Object Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
Protected Group Membership (e.g. <comma separated list of group account names> or "No Memberships")
REMARK: With protected groups, the focus is ONLY on default AD Protected Groups (e.g. BUILTIN\Administrators", "<DOMAIN>\Domain Admins", etc.)
REMARK: if protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
ACE On AdminSDHolder (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs
Powerful ACEs On Objects (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs

–

The following ACEs are considered powerful:

Full Control
Password Reset Control Access Rights
Control Access Right In General
WriteOwner (Allows to write the owner and that allows to write the DACL)
Write DACL
Write Property In General
Write Property For “lockoutTime” (Unlocking Account)
Write Property For “msDS-AllowedToDelegateTo” (Adding/removing accounts for account based delegation)
Write Property For “msDS-AllowedToActOnBehalfOfOtherIdentity” (Adding/removing accounts for resourced based delegation)
Write Property For “servicePrincipalName” (Adding/removing SPNs)
Write Property For “userAccountControl” (Managing security/delegation settings, enabling/disabling account)

–

While the script is running it logs every to a log file. which is in the same folder as the script itself.

–

This script requires:

PowerShell Module: ActiveDirectory
Basic User Permissions, Nothing Special!

–

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_04_Object-Level-Permissions-Info.ps1

–

The script has been tested in three different AD forests:

AD forest with a Single AD domain with less than 500 accounts and quite some account config
AD forest with a Single AD domain with approx. 150000 accounts and less account config
AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

–

Figure 1a: Sample Output Of The Log File

–

Figure 1b: Sample Output Of The Log File

–

Figure 1c: Sample Output Of The Log File

–

Figure 1d: Sample Output Of The Log File

–

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

–

To get the script, see: Scan And Check All Accounts In AD Forest – Object Level Permissions Info

–

Cheers,

Jorge

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation Of Control, IT Pro Tools, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-15) Active Directory Security Scan Of Accounts (Part 3)

Posted by Jorge on 2019-11-15

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At NC Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
DS Repl Chng Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
DS Repl Chng All Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
Migr SID History Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")

–

While the script is running it logs every to a log file. which is in the same folder as the script itself.

–

This script requires:

PowerShell Module: ActiveDirectory
Basic User Permissions, Nothing Special!

–

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_03_NC-Level-Permissions-Info.ps1

–

The script has been tested in three different AD forests:

AD forest with a Single AD domain with less than 500 accounts and quite some account config
AD forest with a Single AD domain with approx. 150000 accounts and less account config
AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

–

Figure 1a: Sample Output Of The Log File

–

Figure 1b: Sample Output Of The Log File

–

Figure 1c: Sample Output Of The Log File

–

Figure 1d: Sample Output Of The Log File

–

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

–

To get the script, see: Scan And Check All Accounts In AD Forest – NC Level Permissions Info

–

Cheers,

Jorge

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation Of Control, IT Pro Tools, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-12) Active Directory Security Scan Of Accounts (Part 2)

Posted by Jorge on 2019-11-12

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Kerberos Delegation” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
Service Principal Name(s) (e.g. <comma separated list of SPNs> or "No SPNs")
Acc Based Deleg Type (e.g. "No-Acc-Deleg" or "Acc-Unc-Deleg" or "Acc-Con-Deleg-AnyAuthN" or "Acc-Con-Deleg-KerbAuthN"
Acc Based Deleg To (e.g. <comma separated list of SPNs> or "No Delegated SPNs")
Res Based Deleg For (e.g. <comma separated list of user account names with type and domain listed> or "No-Res-Deleg"

–

While the script is running it logs every to a log file. which is in the same folder as the script itself.

–

This script requires:

PowerShell Module: ActiveDirectory
Basic User Permissions, Nothing Special!

–

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_02_Delegation-Info.ps1

–

The script has been tested in three different AD forests:

AD forest with a Single AD domain with less than 500 accounts and quite some account config
AD forest with a Single AD domain with approx. 150000 accounts and less account config
AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

–

Figure 1a: Sample Output Of The Log File

–

Figure 1b: Sample Output Of The Log File

–

Figure 1c: Sample Output Of The Log File

–

Figure 1d: Sample Output Of The Log File

–

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

–

To get the script, see: Scan And Check All Accounts In AD Forest – Delegation Info

–

Cheers,

Jorge

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation, IT Pro Tools, Kerberos AuthN, Kerberos Constrained Delegation, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-09) Active Directory Security Scan Of Accounts (Part 1)

Posted by Jorge on 2019-11-09

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “basic” account information that is related to security.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
User Principal Name (e.g. ‘jorge@iamtec.nl’)
Display Name (e.g. Jorge de Almeida Pinto)
Enabled (e.g. TRUE or FALSE)
Locked (e.g. TRUE – At:<date/time> or FALSE – Never Locked or FALSE – Has Been Locked Before)
Account Expires On (e.g. <date/time> or NEVER)
Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
Pwd Never Expires (e.g. TRUE or FALSE)
Last Logon Timestamp (e.g. <date/time> or NEVER)
Last Logon (RWDC) (e.g. <date/time> or NEVER Or NOT AVAILABLE (On ‘<FQDN RWDC>’)) <– THIS MEANS IT WILL QUERY EVERY DC (RWDC And RODC) In The AD Domain To Get The LastLogon Property From That DC! (Will be slow!)

–

While the script is running it logs every to a log file. which is in the same folder as the script itself.

–

This script requires:

PowerShell Module: ActiveDirectory
Basic User Permissions, Nothing Special!

–

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_01_Basic-Info.ps1

–

The script has been tested in three different AD forests:

AD forest with a Single AD domain with less than 500 accounts and quite some account config
AD forest with a Single AD domain with approx. 150000 accounts and less account config
AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

–

Figure 1a: Sample Output Of The Log File

–

Figure 1b: Sample Output Of The Log File

–

Figure 1c: Sample Output Of The Log File

–

Figure 1d: Sample Output Of The Log File

–

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

–

To get the script, see: Scan And Check All Accounts In AD Forest – Basic Info

–

Cheers,

Jorge

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, IT Pro Tools, Last Logon Information, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-08) Active Directory Security Scan Of Accounts

Posted by Jorge on 2019-11-08

This month will have a serious security focus in scanning your AD to determine all kinds of account configurations, see relations between those configurations and mitigate any security risks due to combined configurations. A simple example can be an account with unconstrained delegation configured while it has a weak/compromised password, etc, etc.

To scan the accounts within an Active Directory forest, I will be releasing 5 PowerShell scripts.

–

[Script 1] .\Scan-And-Check-All-Accounts-In-AD-Forest_01_Basic-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “basic” account information that is related to security.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
User Principal Name (e.g. ‘jorge@iamtec.nl’)
Display Name (e.g. Jorge de Almeida Pinto)
Enabled (e.g. TRUE or FALSE)
Locked (e.g. TRUE – At:<date/time> or FALSE – Never Locked or FALSE – Has Been Locked Before)
Account Expires On (e.g. <date/time> or NEVER)
Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
Pwd Never Expires (e.g. TRUE or FALSE)
Last Logon Timestamp (e.g. <date/time> or NEVER)
Last Logon (RWDC) (e.g. <date/time> or NEVER Or NOT AVAILABLE (On ‘<FQDN RWDC>’))

–

[Script 2] .\Scan-And-Check-All-Accounts-In-AD-Forest_02_Delegation-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Kerberos Delegation” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
Service Principal Name(s) (e.g. <comma separated list of SPNs> or "No SPNs")
Acc Based Deleg Type (e.g. "No-Acc-Deleg" or "Acc-Unc-Deleg" or "Acc-Con-Deleg-AnyAuthN" or "Acc-Con-Deleg-KerbAuthN"
Acc Based Deleg To (e.g. <comma separated list of SPNs> or "No Delegated SPNs")
Res Based Deleg For (e.g. <comma separated list of user account names with type and domain listed> or "No-Res-Deleg"

–

[Script 3] .\Scan-And-Check-All-Accounts-In-AD-Forest_03_NC-Level-Permissions-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At NC Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
DS Repl Chng Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
DS Repl Chng All Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
Migr SID History Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")

–

[Script 4] .\Scan-And-Check-All-Accounts-In-AD-Forest_04_Object-Level-Permissions-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At Object Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
Protected Group Membership (e.g. <comma separated list of group account names> or "No Memberships")
REMARK: With protected groups, the focus is ONLY on default AD Protected Groups (e.g. BUILTIN\Administrators", "<DOMAIN>\Domain Admins", etc.)
REMARK: if protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
ACE On AdminSDHolder (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs
Powerful ACEs On Objects (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs

–

[Script 5] \Scan-And-Check-All-Accounts-In-AD-Forest_05_Account-And-Password-Hygiene-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Account And Password Hygiene” related information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

Domain FQDN (e.g. ‘IAMTEC.NET’)
Domain NBT (e.g. ‘IAMTEC’)
Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
Sam Account Name (e.g. ‘jorge’)
Account Name (e.g. ‘IAMTEC\jorge’)
Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
Enabled (e.g. TRUE or FALSE)
Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
Has Adm Count Stamp (e.g. TRUE or FALSE)
Delegatable Adm (e.g. TRUE or FALSE)
Does Not Req Pre-AuthN (e.g. TRUE or FALSE)
Has Sid History (e.g. TRUE or FALSE)
Has LM Hash (e.g. TRUE or FALSE)
Has Default Pwd (e.g. TRUE or FALSE)
Has Blank Pwd (e.g. TRUE or FALSE)
Uses DES Keys Only (e.g. TRUE or FALSE)
Has Missing AES Keys (e.g. TRUE or FALSE)
Pwd Rev Encrypt (e.g. TRUE or FALSE)
Pwd Not Req (e.g. TRUE or FALSE)
Pwd Never Expires (e.g. TRUE or FALSE)
Has Shared Pwd (e.g. TRUE – Domain Shrd Pwd Grp x Of y or FALSE)
Compromised Pwd (e.g. TRUE or FALSE)
Most Used Hash (e.g. <hash> (<count>) or N.A.)

–

Interested in this? Stay tuned!

Thanks!

–

Cheers,

Jorge

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation, Delegation Of Control, IT Pro Tools, Kerberos Constrained Delegation, Last Logon Information, Passwords, PowerShell, Replication, Security, Tooling/Scripting | 2 Comments »

(2019-11-06) Azure AD Password Protection (A.k.a. Banned Password List) – Third Party Solution LithNet AD Password Protection (Part 9)

Posted by Jorge on 2019-11-06

In addition to Azure AD Password Protection, of course there are also other third-party solutions. Azure AD Password Protection performs one heck of a job.

Nevertheless, I do believe it would be an even better solution if:

it would allow customization of the algorithm
would allow to remove the limit of 1000 words
would be easy to determine what is already on the global MSFT list (also see: (2019-10-28) Azure AD Password Protection (A.k.a. Banned Password List) – Optimizing The Custom Per Tenant List (Part 6)
would allow integration with external solutions like “Have I Been Pwned”
would allow easy testing of passwords against it to see if accepted, rejected or even compromised

–

One solution that caught my attention is: LithNet Active Directory Password Protection.

At a high level, its features are:

Does NOT have the limits specified above (except bullet 3)
Can work alongside the MSFT Password Solution if needed
Can run in LSA protected mode (co-signed by Microsoft) (https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
Ability to take control of what a good password means to you
Fully or partially adopt 2018 NIST password recommendations (https://pages.nist.gov/800-63-3/sp800-63b.html)

An eight character minimum and 64 character maximum length
The ability to use all special characters but no special requirement to use them
Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
Restrict context specific passwords (e.g. such as the name of the service, the username, and derivatives thereof, etc.)
Restrict commonly used passwords (e.g. p@ssw0rd, etc.)
Restrict passwords obtained from previous breach corpuses

Ability to be used against domain accounts and local accounts on workstations and servers
Rich set of group policy-based controls that allow to enable any combination of the following checks on attempted password changes (BE CAREFULL WHEN USING MULTIPLE POLICIES AS ONE MIGHT IMPACT THE OTHER!):
- General settings
  - Disable password filter
- Regular expression policies
  - Passwords must match regular expression
    AND/OR
  - Passwords must NOT match regular expression
- Complexity policies
  - Points-based complexity policy definition. Assign points for the use of certain characters and categories and set a minimum point threshold a password must meet.
    Minimum # points required to allow/approve password
    - # Points for each character used
    - # Points for each number used
    - # Points for each lower case letter used
    - # Points for each upper case letter used
    - # Points for each symbol used
    - # Points for at least 1 number used
    - # Points for at least 1 lower case letter used
    - # Points for at least 1 upper case letter used
    - # Points for at least 1 symbol used
  - Length based complexity policy definition. For example, you can require number, symbol, upper and lower for passwords less than 13 characters, but have no special requirements for passwords 13 characters or longer. Reward length, with less complexity.
    REMARK: It is recommended to disable the built-in Active Directory password complexity requirements policy when this policy is enabled.
    REMARK: What happens when the password equals X or Y?)
    - Threshold Level 1 – less than X
      - Total number of character sets required (number, symbol, lower case letter, upper case letter)
      - Exact characters sets required at a minimum:
        
        Lower case letter
        
        Upper case letter
        
        Symbol
        
        Number
        
        Number or symbol
    - Threshold Level 2 – equal to or longer than X and less than Y
      - Total number of character sets required (number, symbol, lower case letter, upper case letter)
      - Exact characters sets required at a minimum:
        
        Lower case letter
        
        Upper case letter
        
        Symbol
        
        Number
        
        Number or symbol
    - Threshold Level 3 – equal to or longer than Y
      - Total number of character sets required (number, symbol, lower case letter, upper case letter)
      - Exact characters sets required at a minimum:
        
        Lower case letter
        
        Upper case letter
        
        Symbol
        
        Number
        
        Number or symbol
  - Minimum password length
    REMARK: It is recommended to disable the built-in Active Directory password complexity requirements policy when this policy is enabled.
- Password Content Policies
  - Reject passwords that contain the user’s account name (username length must be greater than 3)
  - Reject passwords that contain all or any part of the user’s display name
  - Reject passwords found in the compromised password store (Checks the exact password specified by the user against the list of compromised passwords)
    - Requires the import of the "Have I Been Pwned" (HIBP) password list!
    - Allows for differentiation between CHANGE and RESET
  - Reject normalized passwords found in the compromised password store (normalization rules) (Checks the normalized password specified by the user against the list of compromised passwords)
    - Requires the import of the "Have I Been Pwned" (HIBP) password list!
      AND/OR
    - Requires the addition of your own forbidden passwords!
    - Allows for differentiation between CHANGE and RESET
  - Reject normalized passwords found in the banned word store (Adding a banned word prevents it from being used as the base of a password. For example, adding the word ‘password’ to the banned word store, prevents not only the use of that word itself, but common variants such as ‘P@ssw0rd’, ‘pa55word!’ and ‘password123456!’. LPP is aware of common character substitutions and weak obfuscations and prevents their use through a normalization process.)
    - Requires the import of banned words!
    - Allows for differentiation between CHANGE and RESET
Full PowerShell support which is used to;
- Manage the compromised password and banned word stores. Add your own banned words and compromised passwords, as well as use popular databases such as the haveibeenpwned.com downloadable password list (‘NTLM ordered by hash’ list)
- Test passwords and existing hashes against the compromised store
- Check to see if your user’s current passwords in AD are found in the compromised password store (based upon DS Internals!)
Passwords never leave the domain controller
Designed for large environments where high performance is required
Creates detailed event logs (Event Log: "Application", Source: "LithnetPasswordProtection")
Uses a DFS-R friendly data store
No internet access required
No additional servers required for deployment
Group policy support

–

Some numbers regarding the usage of Lith Active Directory Password Protection (Source: https://twitter.com/lithnet_io/status/1154892852184248320?s=12)

Australian university, 180000 users, 6 countries
Czech Republic and Slovakia, mobile operators, 15000 users
50,000 users, manufacturing. Testing in another forest with 400,000.
1000 user’s. Hospitality industry!
Humanitarian company. 14000 users worldwide
…and most likely there are more companies using it

–

More information:

–

Make sure to give it a try, as this really rocks! Oh and buy Ryan a beer as he really deserves it, looking at the cool stuff he designs and builds and makes it available for others to use.

–

Cheers,

Jorge

Posted in Active Directory Domain Services (ADDS), IT Pro Tools, Passwords, Replication, Security, SYSVOL | Leave a Comment »

(2016-01-19) Free AD Tool For The IT Pro (4)

Posted by Jorge on 2016-01-19

While browsing the internet I found the following AD related tools that might be worth checking out. Have fun!

–

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

–

Z-Hire/Z-Term Active Directory, Exchange, Lync, Office 365 User Creation Tool

Z-Hire automates the IT account creation process for Exchange mailbox, Active Directory, Lync accounts, Office 365 cloud and SalesForce cloud deployments. With just a click of the button, your Exchange mailbox, and Active directory user and Lync accounts will be created simultaneousy. This tool can also create and set custom settings for Office 365 accounts using templates. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT user accounts with the option for custom scripts. Z-hire will decrease your new hire user account deployment time by 600%, without the need for complicated and expensive identity management solutions. This Active Directory User Creation Tool makes creating Active Directory users a breeze. Some of the features include:

Environment Auto detection/discovery (AD/Exchange/Lync/Office 365/SalesForce)
Copy existing Active Directory User to Z-Hire Template
Support for Active Directory user, Exchange Mailbox, Lync 2010, Lync 2013, Office 365 user and SalesForce user account
Template based deployment (allows consistency for all user accounts)
Office 365 account creation with major attributes
Office 365 license only mode (assign license only, when using DirSync)
Office 365 Hybrid mode ( for organizations running Office 365 in Hybrid mode)
Active Directory user account creation with major attributes
Active Directory group selection
Active Directory user duplicate SamAccountName verification
Lync 2010 account creation supporting all policies
SalesForce user creation support all major attributes
Faster performance (compared to previous version)
Bulk import from CSV / Text to provision Active Directory, Exchange, Lync and Office 365 users (version 5.3)
HRIS / WorkDay driven user provisioning (Automatically provision users from WorkDay and other HRIS Systems)
HRIS / WorkDay driven data sync (Automatically sync user data such as Title, Department from WorkDay and other HRIS systems)

–

Click HERE for more information

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Exchange Server, IT Pro Tools, OCS/Lync Server, Office 365, Windows Azure Active Directory | Leave a Comment »

(2011-10-24) Free AD Tools For The IT Pro (3)

Posted by Jorge on 2011-10-24

While browsing the internet I found the following AD related tools that might be worth checking out. Have fun!

–

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

–

ADManager Plus – Free Active Directory Tools 4.4

ADManager Plus presents a comprehensive set of Free Windows Active Directory Tools. These tools have been developed to simplify some of the routine activities carried out on the Active Directory data and they come to you absolutely free. The list of tools available for ready download includes:

Active Directory Query Tool: The AD Query Tool is a freeware from ManageEngine ADManager Plus. It queries the Active Directory and retrieves Details based on the query supplied. The details displayed have relevance to the query that is posted by the user. This is a simple, easy to use tool that queries the AD and displays object information.
Empty Password Users Report: "Empty Password Users Report Tool" is free, utility software that helps find information of Active Directory users having null or empty password. The Administrator can generate the list of users with empty / blank password by just supplying simple AD information like Domain and Container names along with the user name and password of the user.
Active Directory CSV Generator: The CSV Generator Tool helps you to generate a CSV file that contains a customized array of user specified attributes and the corresponding Active Directory values. This free tool takes a simple CSV file with basic attributes like sAMAccountName, and generates a full fledged CSV file containing a comprehensive attribute list. This would save considerable time and efforts of admins and other staff associated with Active Directory data.
Active Directory DC Monitoring Tool: The DC Monitoring Tool is a very useful active directory utility that helps administrators to monitor the performance of Domain Controller(s) within the specified Domains. The Domains that need to be monitored are auto detected and displayed by the DC Monitoring Tool. Three of the most important parameters that are monitored by this free active directory software program are CPU Usage, Disk Space and Memory Utilization. Information on these essential parameters, eases out the DC Monitoring Activity for any AD Administrator.
Windows PowerShell Manage-Local Users Tool: The Microsoft Windows PowerShell is gaining prominance of late. The Manage-LocalUsers utility is an implementation of Microsoft PowerShell. This is a free tool from ManageEngine ADManager Plus, which lists out all the local users in a specified computer and allows to reset the password of local users of that computer. This freeware is basically a PowerShell cmdlet which helps administrators to effectively control the local user accounts of their domain users

Click HERE for more information

–

AD Show User Groups v1.0

This FREE tool shows Group Membership of one AD User. Show Group Membership of a specific AD User and export results to a text file.

Click HERE for more information

–

AD Group Members v1.1

This FREE tool lists Members of Active Directory Groups. Do you have hundred of AD Groups and you want to check membership of users? Search Active Directory Groups and List Members. Export Result to Excel File. Load AD Groups button: Search and List All Groups in Active Directory.

Click HERE for more information

–

Active Directory Search – Server Admin (text below has been translated from German To English using Yahoo Babelfish. It may therefore contain errors)

AD search Admin is a .NET program, with which the total structure and the domains, which are clearly indicated to IP of locations, positions of trust, FSMO roles, global catalog servers and Group Policies of a Active directory. With AD search Admin can be looked for very simply and comfortably for objects in a Active directory (AD). Active directory search – server Admin offers besides many functions for the announcement and modification of Active directory attributes and for a central server administration. For the search for the AD objects " Benutzer" , " Gruppe" and " Computer" AD search Admin© offers graphic interfaces which can be served simply and supports also arbitrary LDAP search stringer, in order to be able to search purposefully over filters after AD objects. An often needed feature, which " determination; True load Logon" for user and Cumputerobjekte, search Admin© with a mouse click is possible in AD. The characteristics of the found objects and their values are clearly represented. For some attributes the result values are prepared special, as for example SID, user flag and current values. The complete expenditures (Property Pages) can be stored as text file. Over context menus can be copied individual characteristics, values or several expenditure lines into the intermediate file and used over it further. Further outstanding feature of AD search Admin© is the fast access to functions, which are indispensable in the daily administration of servers. These functions are examining the accessibility over Ping, call of the computers management console, open the Eventlogs, start a RDP connection, indicate to the disk volumes and particularly adapted WMI inquiries. In addition all WMI classes of CIMV2 can be selected and the respective characteristics be indicated. With the possibility of copying over the context menu thereby simply own WMI inquiries can be provided. Particularly for the administration of servers in AD Admin© some WMI inquiries for meaningful expenditures are programmed search. Those are the inquiries after Hotfixes, Patches, the local administrators and the locally announced accounts.

Click HERE for more information

–

Posted in Active Directory Domain Services (ADDS), IT Pro Tools | Leave a Comment »

(2011-09-06) Database Browsing/Editing Tool

Posted by Jorge on 2011-09-06

Have you ever had the need to quickly browse and/or edit a database on some database server without installing SQL Management Studio (for SQL Server) or some other huge database management tool, incl. the ones for other database formats? Well, look no further! I found this very interesting Database browsing/editing tool that assisted me in working with the attribute store that I had configured for my ADFSv2 test environment. You cannot compare it with SQL Management Studio for example, with it supports a huge interesting features which work me. I used this a lot in my test environment when I need to browse/edit a database from a server not hosting SQL Server.

–

ORIGINAL SOURCE FOR THE TEXT/PICTURES BELOW: http://blogs.microsoft.co.il/blogs/doli/archive/2011/07/20/free-tool-database-browser.aspx

–

Database Browser is an easy to use, free portable tool, which can connect to a variety of database types and browse or modify data, run SQL scripts, export and print data.

This tool is free and portable
The browser supports variety of direct databases connections :
- Oracle
- Microsoft Sql Server
- ODBC
- MySql
- OleDB
- PostgreSQL
- SQLite
- Microsoft Sql Server Compact
- Interbase
- Firebird