Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-11-18) Active Directory Security Scan Of Accounts (Part 4)

Posted by Jorge on 2019-11-18


With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At Object Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Protected Group Membership (e.g. <comma separated list of group account names> or "No Memberships")
    REMARK: With protected groups, the focus is ONLY on default AD Protected Groups (e.g. BUILTIN\Administrators", "<DOMAIN>\Domain Admins", etc.)
    REMARK: if protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
  • ACE On AdminSDHolder (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs
  • Powerful ACEs On Objects (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs

The following ACEs are considered powerful:

  • Full Control
  • Password Reset Control Access Rights
  • Control Access Right In General
  • WriteOwner (Allows to write the owner and that allows to write the DACL)
  • Write DACL
  • Write Property In General
  • Write Property For “lockoutTime” (Unlocking Account)
  • Write Property For “msDS-AllowedToDelegateTo” (Adding/removing accounts for account based delegation)
  • Write Property For “msDS-AllowedToActOnBehalfOfOtherIdentity” (Adding/removing accounts for resourced based delegation)
  • Write Property For “servicePrincipalName” (Adding/removing SPNs)
  • Write Property For “userAccountControl” (Managing security/delegation settings, enabling/disabling account)

When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!

While the script is running it logs every to a log file. which is in the same folder as the script itself.

This script requires:

  • PowerShell Module: ActiveDirectory
  • Basic User Permissions, Nothing Special!

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_04_Object-Level-Permissions-Info.ps1

The script has been tested in three different AD forests:

  • AD forest with a Single AD domain with less than 500 accounts and quite some account config
  • AD forest with a Single AD domain with approx. 150000 accounts and less account config
  • AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

image

Figure 1a: Sample Output Of The Log File

image

Figure 1b: Sample Output Of The Log File

image

Figure 1c: Sample Output Of The Log File

image

Figure 1d: Sample Output Of The Log File

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

image

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

To get the script, see: Scan And Check All Accounts In AD Forest – Object Level Permissions Info

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation Of Control, IT Pro Tools, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-15) Active Directory Security Scan Of Accounts (Part 3)

Posted by Jorge on 2019-11-15


With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At NC Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • DS Repl Chng Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • DS Repl Chng All Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • Migr SID History Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")

When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!

While the script is running it logs every to a log file. which is in the same folder as the script itself.

This script requires:

  • PowerShell Module: ActiveDirectory
  • Basic User Permissions, Nothing Special!

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_03_NC-Level-Permissions-Info.ps1

The script has been tested in three different AD forests:

  • AD forest with a Single AD domain with less than 500 accounts and quite some account config
  • AD forest with a Single AD domain with approx. 150000 accounts and less account config
  • AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

image

Figure 1a: Sample Output Of The Log File

image

Figure 1b: Sample Output Of The Log File

image

Figure 1c: Sample Output Of The Log File

image

Figure 1d: Sample Output Of The Log File

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

image

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

To get the script, see: Scan And Check All Accounts In AD Forest – NC Level Permissions Info

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation Of Control, IT Pro Tools, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-12) Active Directory Security Scan Of Accounts (Part 2)

Posted by Jorge on 2019-11-12


With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Kerberos Delegation” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Service Principal Name(s) (e.g. <comma separated list of SPNs> or "No SPNs")
  • Acc Based Deleg Type (e.g. "No-Acc-Deleg" or "Acc-Unc-Deleg" or "Acc-Con-Deleg-AnyAuthN" or "Acc-Con-Deleg-KerbAuthN"
  • Acc Based Deleg To (e.g. <comma separated list of SPNs> or "No Delegated SPNs")
  • Res Based Deleg For (e.g. <comma separated list of user account names with type and domain listed> or "No-Res-Deleg"

When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!

While the script is running it logs every to a log file. which is in the same folder as the script itself.

This script requires:

  • PowerShell Module: ActiveDirectory
  • Basic User Permissions, Nothing Special!

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_02_Delegation-Info.ps1

The script has been tested in three different AD forests:

  • AD forest with a Single AD domain with less than 500 accounts and quite some account config
  • AD forest with a Single AD domain with approx. 150000 accounts and less account config
  • AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

image

Figure 1a: Sample Output Of The Log File

image

Figure 1b: Sample Output Of The Log File

image

Figure 1c: Sample Output Of The Log File

image

Figure 1d: Sample Output Of The Log File

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

image

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

To get the script, see: Scan And Check All Accounts In AD Forest – Delegation Info

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation, IT Pro Tools, Kerberos AuthN, Kerberos Constrained Delegation, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-10) Azure AD Connect v1.4.32.0 Has Been Released

Posted by Jorge on 2019-11-10


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.3.21.0. I noticed that it triggered a Full Import on both the AD and AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.18.0. I noticed that it triggered a Delta Import on both the AD and AAD MA/Connector, but it triggered a Full Sync on the AD MA/Connector and a Delta Sync on the AAD MA/Connector. Since the full sync may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

IMPORTANT: Due to an internal schema change in this release of Azure AD Connect, if you manage ADFS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher.

Azure AD Connect: Version Release History

1.4.32.0

Released: 11/08/2019

Released for download. Not available for auto-upgrade

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • N.A.

Fixed issues

  • This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync rule that corrects this issue (Updated sync rule: “In from AD – Computer Join”). Note that this rule change may cause deletion of obsolete devices from Azure AD. This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the deletion threshold

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-11-09) Active Directory Security Scan Of Accounts (Part 1)

Posted by Jorge on 2019-11-09


With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “basic” account information that is related to security.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • User Principal Name  (e.g. ‘jorge@iamtec.nl’)
  • Display Name (e.g. Jorge de Almeida Pinto)
  • Enabled (e.g. TRUE or FALSE)
  • Locked (e.g. TRUE – At:<date/time> or FALSE – Never Locked or FALSE – Has Been Locked Before)
  • Account Expires On (e.g. <date/time> or NEVER)
  • Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
  • Pwd Never Expires (e.g. TRUE or FALSE)
  • Last Logon Timestamp (e.g. <date/time> or NEVER)
  • Last Logon (RWDC) (e.g. <date/time> or NEVER Or NOT AVAILABLE (On ‘<FQDN RWDC>’)) <– THIS MEANS IT WILL QUERY EVERY DC (RWDC And RODC) In The AD Domain To Get The LastLogon Property From That DC! (Will be slow!)

When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!

While the script is running it logs every to a log file. which is in the same folder as the script itself.

This script requires:

  • PowerShell Module: ActiveDirectory
  • Basic User Permissions, Nothing Special!

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_01_Basic-Info.ps1

The script has been tested in three different AD forests:

  • AD forest with a Single AD domain with less than 500 accounts and quite some account config
  • AD forest with a Single AD domain with approx. 150000 accounts and less account config
  • AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

image

Figure 1a: Sample Output Of The Log File

image

Figure 1b: Sample Output Of The Log File

image

Figure 1c: Sample Output Of The Log File

image

Figure 1d: Sample Output Of The Log File

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

image

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

To get the script, see: Scan And Check All Accounts In AD Forest – Basic Info

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, IT Pro Tools, Last Logon Information, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-08) Active Directory Security Scan Of Accounts

Posted by Jorge on 2019-11-08


This month will have a serious security focus in scanning your AD to determine all kinds of account configurations, see relations between those configurations and mitigate any security risks due to combined configurations. A simple example can be an account with unconstrained delegation configured while it has a weak/compromised password, etc, etc.

To scan the accounts within an Active Directory forest, I will be releasing 5 PowerShell scripts.

[Script 1] .\Scan-And-Check-All-Accounts-In-AD-Forest_01_Basic-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “basic” account information that is related to security.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • User Principal Name  (e.g. ‘jorge@iamtec.nl’)
  • Display Name (e.g. Jorge de Almeida Pinto)
  • Enabled (e.g. TRUE or FALSE)
  • Locked (e.g. TRUE – At:<date/time> or FALSE – Never Locked or FALSE – Has Been Locked Before)
  • Account Expires On (e.g. <date/time> or NEVER)
  • Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
  • Pwd Never Expires (e.g. TRUE or FALSE)
  • Last Logon Timestamp (e.g. <date/time> or NEVER)
  • Last Logon (RWDC) (e.g. <date/time> or NEVER Or NOT AVAILABLE (On ‘<FQDN RWDC>’))

[Script 2] .\Scan-And-Check-All-Accounts-In-AD-Forest_02_Delegation-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Kerberos Delegation” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Service Principal Name(s) (e.g. <comma separated list of SPNs> or "No SPNs")
  • Acc Based Deleg Type (e.g. "No-Acc-Deleg" or "Acc-Unc-Deleg" or "Acc-Con-Deleg-AnyAuthN" or "Acc-Con-Deleg-KerbAuthN"
  • Acc Based Deleg To (e.g. <comma separated list of SPNs> or "No Delegated SPNs")
  • Res Based Deleg For (e.g. <comma separated list of user account names with type and domain listed> or "No-Res-Deleg"

[Script 3] .\Scan-And-Check-All-Accounts-In-AD-Forest_03_NC-Level-Permissions-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At NC Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • DS Repl Chng Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • DS Repl Chng All Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • Migr SID History Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")

[Script 4] .\Scan-And-Check-All-Accounts-In-AD-Forest_04_Object-Level-Permissions-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At Object Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Protected Group Membership (e.g. <comma separated list of group account names> or "No Memberships")
    REMARK: With protected groups, the focus is ONLY on default AD Protected Groups (e.g. BUILTIN\Administrators", "<DOMAIN>\Domain Admins", etc.)
    REMARK: if protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
  • ACE On AdminSDHolder (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs
  • Powerful ACEs On Objects (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs

[Script 5] \Scan-And-Check-All-Accounts-In-AD-Forest_05_Account-And-Password-Hygiene-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Account And Password Hygiene” related information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Enabled (e.g. TRUE or FALSE)
  • Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
  • Has Adm Count Stamp (e.g. TRUE or FALSE)
  • Delegatable Adm (e.g. TRUE or FALSE)
  • Does Not Req Pre-AuthN (e.g. TRUE or FALSE)
  • Has Sid History (e.g. TRUE or FALSE)
  • Has LM Hash (e.g. TRUE or FALSE)
  • Has Default Pwd (e.g. TRUE or FALSE)
  • Has Blank Pwd (e.g. TRUE or FALSE)
  • Uses DES Keys Only (e.g. TRUE or FALSE)
  • Has Missing AES Keys (e.g. TRUE or FALSE)
  • Pwd Rev Encrypt (e.g. TRUE or FALSE)
  • Pwd Not Req (e.g. TRUE or FALSE)
  • Pwd Never Expires (e.g. TRUE or FALSE)
  • Has Shared Pwd (e.g. TRUE – Domain Shrd Pwd Grp x Of y or FALSE)
  • Compromised Pwd (e.g. TRUE or FALSE)
  • Most Used Hash (e.g. <hash> (<count>) or N.A.)

Interested in this? Stay tuned!

Thanks!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation, Delegation Of Control, IT Pro Tools, Kerberos Constrained Delegation, Last Logon Information, Passwords, PowerShell, Replication, Security, Tooling/Scripting | 1 Comment »

(2019-11-06) Azure AD Password Protection (A.k.a. Banned Password List) – Third Party Solution LithNet AD Password Protection (Part 9)

Posted by Jorge on 2019-11-06


In addition to Azure AD Password Protection, of course there are also other third-party solutions. Azure AD Password Protection performs one heck of a job.

Nevertheless, I do believe it would be an even better solution if:

One solution that caught my attention is: LithNet Active Directory Password Protection.

At a high level, its features are:

  • Does NOT have the limits specified above (except bullet 3)
  • Can work alongside the MSFT Password Solution if needed
  • Can run in LSA protected mode (co-signed by Microsoft) (https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
  • Ability to take control of what a good password means to you
  • Fully or partially adopt 2018 NIST password recommendations (https://pages.nist.gov/800-63-3/sp800-63b.html)
    • An eight character minimum and 64 character maximum length
    • The ability to use all special characters but no special requirement to use them
    • Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
    • Restrict context specific passwords (e.g. such as the name of the service, the username, and derivatives thereof, etc.)
    • Restrict commonly used passwords (e.g. p@ssw0rd, etc.)
    • Restrict passwords obtained from previous breach corpuses
  • Ability to be used against domain accounts and local accounts on workstations and servers
  • Rich set of group policy-based controls that allow to enable any combination of the following checks on attempted password changes (BE CAREFULL WHEN USING MULTIPLE POLICIES AS ONE MIGHT IMPACT THE OTHER!):
    • General settings
      • Disable password filter
    • Regular expression policies
      • Passwords must match regular expression
        AND/OR
      • Passwords must NOT match regular expression
    • Complexity policies
      • Points-based complexity policy definition. Assign points for the use of certain characters and categories and set a minimum point threshold a password must meet.
        Minimum # points required to allow/approve password
        • # Points for each character used
        • # Points for each number used
        • # Points for each lower case letter used
        • # Points for each upper case letter used
        • # Points for each symbol used
        • # Points for at least 1 number used
        • # Points for at least 1 lower case letter used
        • # Points for at least 1 upper case letter used
        • # Points for at least 1 symbol used
      • Length based complexity policy definition. For example, you can require number, symbol, upper and lower for passwords less than 13 characters, but have no special requirements for passwords 13 characters or longer. Reward length, with less complexity.
        REMARK: It is recommended to disable the built-in Active Directory password complexity requirements policy when this policy is enabled.
        REMARK: What happens when the password equals X or Y?)
        • Threshold Level 1 – less than X
          • Total number of character sets required (number, symbol, lower case letter, upper case letter)
          • Exact characters sets required at a minimum:
            • Lower case letter
            • Upper case letter
            • Symbol
            • Number
            • Number or symbol
        • Threshold Level 2 – equal to or longer than X and less than Y
          • Total number of character sets required (number, symbol, lower case letter, upper case letter)
          • Exact characters sets required at a minimum:
            • Lower case letter
            • Upper case letter
            • Symbol
            • Number
            • Number or symbol
        • Threshold Level 3 – equal to or longer than Y
          • Total number of character sets required (number, symbol, lower case letter, upper case letter)
          • Exact characters sets required at a minimum:
            • Lower case letter
            • Upper case letter
            • Symbol
            • Number
            • Number or symbol
      • Minimum password length
        REMARK: It is recommended to disable the built-in Active Directory password complexity requirements policy when this policy is enabled.
    • Password Content Policies
      • Reject passwords that contain the user’s account name (username length must be greater than 3)
      • Reject passwords that contain all or any part of the user’s display name
      • Reject passwords found in the compromised password store (Checks the exact password specified by the user against the list of compromised passwords)
        • Requires the import of the "Have I Been Pwned" (HIBP) password list!
        • Allows for differentiation between CHANGE and RESET
      • Reject normalized passwords found in the compromised password store (normalization rules) (Checks the normalized password specified by the user against the list of compromised passwords)
        • Requires the import of the "Have I Been Pwned" (HIBP) password list!
          AND/OR
        • Requires the addition of your own forbidden passwords!
        • Allows for differentiation between CHANGE and RESET
      • Reject normalized passwords found in the banned word store (Adding a banned word prevents it from being used as the base of a password. For example, adding the word ‘password’ to the banned word store, prevents not only the use of that word itself, but common variants such as ‘P@ssw0rd’, ‘pa55word!’ and ‘password123456!’. LPP is aware of common character substitutions and weak obfuscations and prevents their use through a normalization process.)
        • Requires the import of banned words!
        • Allows for differentiation between CHANGE and RESET
  • Full PowerShell support which is used to;
    • Manage the compromised password and banned word stores. Add your own banned words and compromised passwords, as well as use popular databases such as the haveibeenpwned.com downloadable password list (‘NTLM ordered by hash’ list)
    • Test passwords and existing hashes against the compromised store
    • Check to see if your user’s current passwords in AD are found in the compromised password store (based upon DS Internals!)
  • Passwords never leave the domain controller
  • Designed for large environments where high performance is required
  • Creates detailed event logs (Event Log: "Application", Source: "LithnetPasswordProtection")
  • Uses a DFS-R friendly data store
  • No internet access required
  • No additional servers required for deployment
  • Group policy support

Some numbers regarding the usage of Lith Active Directory Password Protection (Source: https://twitter.com/lithnet_io/status/1154892852184248320?s=12)

  • Australian university, 180000 users, 6 countries
  • Czech Republic and Slovakia, mobile operators, 15000 users
  • 50,000 users, manufacturing. Testing in another forest with 400,000.
  • 1000 user’s. Hospitality industry!
  • Humanitarian company. 14000 users worldwide
  • …and most likely there are more companies using it

More information:

Make sure to give it a try, as this really rocks! Oh and buy Ryan a beer as he really deserves it, looking at the cool stuff he designs and builds and makes it available for others to use.

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), IT Pro Tools, Passwords, Replication, Security, SYSVOL | Leave a Comment »

(2019-11-03) Azure AD Password Protection (A.k.a. Banned Password List) – Getting Statistics (Part 8)

Posted by Jorge on 2019-11-03


After running for some time in either AUDIT ONLY mode or ENFORCE mode, it is interesting to get some statistics of what your users are doing with regards to the passwords being used. Every RWDC with the Azure AD Password Protection DC Agent installed will evaluate the provided password against the algorithm. Regarding the algorithm see (2019-10-28) Azure AD Password Protection (A.k.a. Banned Password List) – Optimizing The Custom Per Tenant List (Part 6).

On every RWDC with the Azure AD Password Protection DC Agent installed, every password is evaluated, and the outcome is  logged in an event in the event log “\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin”. More detailed info about the events can be found here..

When the PowerShell CMDlet is executed against an RWDC it basically counts the number of events for a specific action and reports that. If you therefore delete events or that RWDC is decommissioned for some reason, the statistics are lost. Remember, there are two modes, each mode has 2 possible actions, and multiple outcomes are possible that contribute to the statistics

Modes:

  • AUDIT ONLY Mode
  • ENFORCE Mode

Actions:

  • Password Change: actor knows old password and provides new password (always the owner of the account, or at least a person that knows the old password)
  • Password (Re)Set: actor does not know or remember old password and sets a new password. This could be an admin on behalf of the user account or an intermediate system (e.g. azure ad sspr or dell sspm or whatever) on behalf of the user and still actioned by the user itself

Statistics

  • PasswordChangesValidated: number of password changes that were validated in either mode
  • PasswordChangeAuditOnlyFailures: in AUDIT ONLY mode, the number of password changes that were validated and the result was not successful
  • PasswordChangeErrors: in ENFORCE mode, the number of password changes that resulted in an error for some reason
  • PasswordChangesRejected: in ENFORCE mode, the number of password changes that resulted in the password being rejecte
  • PasswordSetsValidated: number of password (re)sets that were validated in either mode
  • PasswordSetAuditOnlyFailures: in AUDIT ONLY mode, the number of password (re)sets that were validated and the result was not successfu
  • PasswordSetErrors: in ENFORCE mode, the number of password (re)sets that resulted in an error for some reason
  • PasswordSetRejected: in ENFORCE mode, the number of password (re)sets that resulted in the password being rejected

So how many passwords were correctly validated in either mode:

  • Successful “Password Changes” = PasswordChangesValidated – PasswordChangeAuditOnlyFailures – PasswordChangeErrors – PasswordChangesRejected
  • Successful “Password (Re)Sets” = PasswordSetsValidated – PasswordSetAuditOnlyFailures – PasswordSetErrors – PasswordSetsRejected

So to gather the statistics through an AD forest I have written a script that gathers the statistics from the RWDCs that are part of the specified scope. The script supports, three modes being: forest, domain (specified) and rwdc (specified)! Independent of the scope, it also counts the total of every statistic property and presents it accordingly at the end or in the GridView through a separate entry at the end. You can therefore see the statistics per RWDC and in total. It also provides a CSV file with the info for later use in either Excel, GridView or some other way.

# To Target All RWDCs In The AD Forest

.\AAD-Password-Protection-Statistics.ps1 -scope Forest

OR

# To Target All RWDCs In The Specified AD Domain(s)

.\AAD-Password-Protection-Statistics.ps1 -scope Domain -domains <FQDN Domain 1>,<FQDN Domains 2>,<FQDN Domain N>

OR

# For All Specified RWDCs

.\AAD-Password-Protection-Statistics.ps1 -scope RWDC -servers <FQDN RWDC 1>,<FQDN RWDC 2>,<FQDN RWDC N>

image

image

Figure 1: Creating A Report Of RWDCs With Numbers Regarding Passwords Processed And Evaluated

image

Figure 2: GridView Output With The Same Results

You can download the script from here

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-31) Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Has Been Released

Posted by Jorge on 2019-10-31


Microsoft has released Microsoft Identity Manager 2016 Service Pack 2! It is available for download as an ISO for fresh installs (available through Visual Studio Downloads), and as an MSI for updating existing environments.

Please find below what has been fixed and/or improved.

I particularly like the TLS 1.2 only support DURING installation of the MIM components. Previously it supported TLS 1.2 during runtime, but not during installation/updating. You always had to decrease the security level to TLS 1.0 to be able to install/update. And in addition I also like the gMSA support! Gone try both and blog about it regarding experiences.

Issues fixed and improvements added in this update

MIM Client add-ons

  • Added support for MIM Outlook add-in to be loaded into the Microsoft Office 365 Outlook Click-To-Run version.

Service and Portal

  • Added support for MIM Service and Portal to be installed on Windows Server 2019, and to use SQL 2017, Exchange Server 2019, SharePoint 2019, System Center Service Manager Data Warehouse 2019.
  • Enabled MIM Service and Portal installation in TLS 1.2 only environments.
  • Enabled installation for MIM Service, Password Reset and Password Registration websites to use group-managed service accounts.
  • New installer parameter "keepSQLjobs" introduced to keep existing SQL Agent MIM related jobs untouched (keep ownership and schedule), for example, "msiexec /p ‘MIMService_KB4512924.msp’ keepSQLjobs=true."
  • Added an additional step to MIM SQL Server Agent temporal jobs to skip execution on secondary SQL Always-On Availability Group replicas.
  • Added a code to handle "ExplicitMember.Add" and "ExplicitMember.Remove" virtual attributes in RCDC forms for custom object types.
  • MIM Service MA schema refresh no longer causes synchronization rules corruption.
  • Accessibility improvements for customers by using MIM Portal together with a screen reader.

Synchronization Service

  • Added support for MIM Synchronization Service to be installed on Windows Server 2019, and to use SQL Server 2017, Exchange Server 2019.
  • Enabled installation in TLS 1.2-only environments.
  • Enabled installation for MIM Synchronization Service to use a group managed service account.
  • Added "Use MIMSync account" option for MIM Service Management Agent to use Synchronization Service’s group-managed service account credentials to connect to MIM Service and MIM Service Database.
  • Accessibility improvements for customers by using MIM Synchronization Service Client together with a screen reader.

Privileged Access Management

  • PowerShell cmdlet "Get-PAMRequest" returns an additional property.
  • Enabled installation for PAM Monitoring Service, PAM Component Service to use group-managed service accounts.

More Information: Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM), Updates, Updates, Updates, Updates, Updates | Leave a Comment »

(2019-10-30) A Thousand Blog Posts!

Posted by Jorge on 2019-10-30


I started blogging in 2005. My very first blog on the internet from me was on November 8th 2005. At that time I was inspired by a friend at Microsoft and a little bit by myself. I was active in the, back then, Microsoft newsgroups for AD (Directory Services). My main reason to start blogging was that I was so tired of repeating the same answer in those newsgroups over and over again, that I started searching for a way to repeatedly provide the same answer without too much additional work. Starting a blog was a very good idea. Back then I started my blog somewhere else and about 8 years ago I migrated my blog away to WordPress, which provided me more autonomy and freedom in doing what I wanted the way I wanted it to be done.

image

Now about 14 years later THIS is 1000th blog post!

image

Soon after starting my blog, and along the way my goal changed to blog about my real world experiences, knowledge and scripts so that others could learn from it and directly use that knowledge and tools/scripts in their day to day jobs. Based upon the stats I can say, since the first day the blog has had a serious amount of visitors and it is referenced quite many time in the Microsoft Forums and other places. Good to see that many other people are using it. I also love the comments being made people and the mails that I get from people regarding the issues they have and for which they are seeking some answers.

A serious THANK YOU to all of you who read this blog, and also a THANK YOU to Microsoft for awarding me the MVP Award the past 14 years and helping me with the great technology.

Cheers,     

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Day-To-Day Stuff, Personal Stuff | 1 Comment »

 
%d bloggers like this: