my personal blog about systemcenter

Protecting your secrets, one more step to remember

Categories: Active Directory, AD, Backup, Disaster Recovery, Password, TSM
Comments Off on Protecting your secrets, one more step to remember

If you are using hosted backup with TSM there is one more step to cover when people leave the org

The protection for many hosted backups are

Protection against “rouge” TSM Administrator

Client Side Encryption

Protection against “rouge” Backup Administrator

Node ID

Node Password (separation of duties one for password one for encryption)

And the last one is the issue here as its often not rotated, default TSM is 90 days but looking at different hosted TSM password is often set to no expire

This is not a TSM problem but a problem with password rotation

In the perfect world, the NodeID password and the encryption is not known by the same person, but then nodeid / password / secret is in registry so an AD admin can access this

Scenario

TSM BA Client installed on demodc01.stackdemo.dk

clip_image002

Starting the TSM client , prompting for Node Password on first backup

clip_image004

Ready for Action

clip_image006

Starting the first backup , prompts for encryption key , and after a short while the backup is completed

clip_image008

On a rouge server, outside of the environment we install the TSM BA Client and reuse the nodeID and password from the disgruntled backup admin

clip_image010

Adding the nodeid and nodepassword

clip_image012

And we restore a dummy file to see that’s its working, and is prompted for the encryption key

dsmc q b “{DEMODC01\SystemState\NULL\System State\SystemState}\ntds.dit” -sub=y

clip_image014

If we can’t remember where ntds.dit is located we can search for it

rest “{DEMODC01\SystemState\NULL\System State\SystemState}\\DEMODC01\C$|\WINDOWS\ntds\*” C:\EVILDC\ -sub=y

clip_image016

And we can restore the files

clip_image018

And we now have something we can attack , if we boot up in a winPE enviroment we can follow the procedure for system state and have a working domain controller

clip_image019

If the attacker had access to the domain controller aka disgruntled former employee the password and encryption is available on the source node in registry , since TSM used both the password and the encryption to access TSM server and backup/restore data it needs to be stored somewhere that the service can access

It’s very hard to protect anything from a domain admin even with the assume breach state of mind

clip_image021

So, we can logon without getting prompted for credentials/encryption

So what can we do

First off , prevent people from being disgruntled

And since we can’t control human nature change the password on the nodes, either scheduled or when high privilege staff leaves or both, and again the default for a TSM node is that it will be changed

clip_image023

Single Node example, log on the TSM , change password

clip_image025

Something old Something New

clip_image026

And Success , and password change can be scripted so cycling the password shouldn’t be a big issue

clip_image028

And our EvilDC can’t access TSM anymore and everything is back to normal

Thycotis Weak Password Finder and Microsoft Advanced Threat Analytics

Categories: Active Directory, Advanced Threat Analytics, ATA, Thycotic
Comments Off on Thycotis Weak Password Finder and Microsoft Advanced Threat Analytics

Thycotic made a free tool available to check for bad password in Active Directory

UNCOVER YOUR MOST VULNERABLE SECURITY GAPS: FREE WEAK PASSWORD FINDER FOR ACTIVE DIRECTORY

https://thycotic.com/solutions/free-it-tools/

If we dig into the about file

The core functionality of this product has been inspired by Jakob Heidelberg https://www.linkedin.com/in/heidelberg and developed by Michael Grafnetter https://www.linkedin.com/in/grafnetter.

We can see where the inspiration and development came from , and thank you to Thycotic for making this tool available for free

This is just a quick drill through with the detection from Advanced Threat Analytics

clip_image002[1]

Running on a member server pointing to DC and Domain

clip_image004[1]

Using the overpowered administrator i have logged on with

clip_image006[1]

and ready to scan

clip_image008[1]

Looking through all AD objects

clip_image010[1]

And reporting time

clip_image012[1]

Something very pretty to present to security/management

clip_image014[1]

with 26 items on the todo list to fix

clip_image016[1]

and to the point of the post , Microsoft Advanced Threat Analytics catches the non standard replication

When time permits further digging in the tool , for production enviroment i would always run this in a restored domain controller without network access even though i trust the people involved in this

MongoDB and Microsoft Advanced Threat Analyties and Secure by Default

Categories: Advanced Threat Analytics, ATA, MONGODB, Ransomware
Comments Off on MongoDB and Microsoft Advanced Threat Analyties and Secure by Default

The last few days we seen very public attacks on unsecured MongoDB databases exposed directly to the internet

MongoDB ransom attacks soar, body count hits 27,000 in hours

http://www.theregister.co.uk/2017/01/09/mongodb/

and respons from MondoDB

https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data

These attacks are preventable with the extensive security protections built into MongoDB. You need to use these features correctly, and our security documentation will help you do so. Here are pointers to the relevant documentation and other useful resources:

and a reference to their securty manual on how to secure mongodb

So was looking on where we are using mongodb and found our Advanced Thread Analytics install , this isnt internet connected but a internal attack wiping the database could be bad enough so we looked

image

Local Host listener only

image

and doublecheck in the mongod config file

And the only acceptable result , secure by default , thx Microsoft and MongoDB

Displaying Windows Performance Counters with Grafana and Influx DB with Windows Backeend

Categories: Grafana, Hyper-V, InfluxDB
Comments Off on Displaying Windows Performance Counters with Grafana and Influx DB with Windows Backeend

Matthew Hodgkins published a blog earlier this year showing how to setup grafana and influxdb on a ubuntu server to publish performance counters from windows

https://hodgkins.io/windows-metric-dashboards-with-influxdb-and-grafana / https://twitter.com/matthodge

Following his guide to make this below was very smooth , and this is a crude step by step on trying to replicate the feature set in Windows

image

Credit : Matthew Hodkins

I wanted to try out the same with a windows backend instead of ubunu , please note this is thrown in with a showel , paths/users/logs nothing is changed and running as user processes , will created a updated post just wanted to get the first parts working

Heading to https://www.influxdata.com/downloads/ to download Telegraf and InfluxDB

image

I installed a Windows Server 2016 downloaded InfluxDB and copied in the files to Program Files

image

Started the influxd , and 15 seconds later we have a default installed influxdb ready for use

image

On the same box i downloaded newest version of grafana http://grafana.org/download/

image

And started up the services

image

image

image

on the 2 hyper-v hosts used in the test i installed the telegraf clients and used the default performance counters it picked up , only change was adding the hostname where it should deliver the counters

image

Logging into Grafana with admin/admin

image

In Grafana go to datasources and add data source , select influxdb

image

add localhost:8086 for influx db and telegraf for database and a dummy username / password

image

And we know have a datasource we can use

image

In dashboards , select create new

image

Select Graph Style

image

It now creates a default view , double click on “Panel Title” and select edit

image

Delete the fake datasource and add our LocalInfluxDB as datasource

and select win_cpu / Percent_Processor_Time , and group by tag (host) , and to $tag_host

image

Setting Y-Max to 100 will show the util as 0-100 instead of the max load

image

Adding a thredshold to show warning/critical (V4 of Grafana supported alerting will get back to that in next post)

image

And the end result , cpu util displayed for the 2 hosts








Updating ATA to version 1.7

Categories: Active Directory, ATA, Security
Comments Off on Updating ATA to version 1.7

Microsoft is keeping the fast pace with update to the star of their “classic” AD security solution

image

So we saw version 1.7 drop yesterday

New Major Features are

· Role based access control.

· Windows Server core support.

· Reconnaissance using Directory Services Enumeration detection.

· Pass-the-Ticket detections enhancements.

Unusual Protocol Implementation detection enhancements

Link : https://support.microsoft.com/en-us/kb/3185481

Personally we are looking fwd to RBAC its a major improvement for the majority of our customers and highly requested

image

Starting the install , we are upgrading fra 1.6.1 , we have a few enviroments on 1.4 and there is NO direct upgrade to 1.7

image

At upgrade we can either upgrade the whole database or do a partial migration , we opted for partial as having ATA offline for a longer duration wasnt a option , the database is placed on SSD so its unlikely it will take a day but we will test that in another enviroment

image

Sucess

image

New UX for updating agent and improved progress indicator

And we now have a few new security groups

image

image

image

This now means we can give auditors access to the enviroment without handing them the keys to the kingdom Smile